
Second Edition 


Cybervetting 

Internet Searches for 
Vetting, Investigations, and 
Open-Source Intelligence 


Edward J. Appel 




Second Edition 


Cybervetting 

Internet Searches for 
Vetting, Investigations, and 
Open-Source Intelligence 


Edward J. Appel 







Contents 


Study Summary. 


Implications for the Enterprise. 

Introduction. 

Employer Liability. 

The Evolving Personnel Security Model... 


SECTION II LEGAL AND POLICY CONTEXT 

Liability for Service Providers. 

Liability for Employers... 

Accountability for Employees. 


Federal Statutes. 

State Statutes..... 

Federal Rules of Evidence and Computer Records..., 

US Legislative Proposals. 















Contents 


Admissibility of Electronically Generated and Stored Evidence.Ill 

Trends and Legal Challenges to Investigative Searching.112 


9 


10 


11 


International and Domestic Principles. 

US and International Privacy Principles. 

Government Standards.. 

Parallel Guidance: Internet Research Ethics.. 

Professional Standards and the Internet. 

Introduction. 

ASIS Standards.. 

National Association of Professional Background Screeners.. 
Association of Internet Researchers.. 

Inside and Outside the Workplace. 

Reputational Risk, Public Affairs.. 

Bottom Line. 

The Insider Threat.. 

Introduction. 

Benevolent Big Brother...... 


SECTION III FRAMEWORK FOR INTERNET SEARCHING 

12 Internet Vetting and Open-Source Intelligence Policy. 

Introduction. 

Legal and Ethical Limitations. 


Introduction.157 

Training Analysts.162 

Open-Source Intelligence Process.163 

Quality Control.166 

Notes... 168 


14 Proper Procedures for Ir 

Introduction. 


.169 

,.169 

,170 











Contents 




SECTION IV INTERNET SEARCH METHODOLOGY 

15 Preparation and Planning. 

The Library. 

16 Search Techniques. 

Introduction. 

Internet Content. 

The Search Engine. 

Finding Search Engines. 

Social and Commercial Searching. 

Social Networking Sites. 

E-Commerce Sites. 

Directories. 


17 


Blogs. 

Chat. 

Finding Sources.. 

Introduction. 

US Government,, 


Other Government-Related Sources . 
Business-Related Sources. 


Web 2.0. 

Looking Up Subscribers. 

E-Mail. 

Commercial Database Providers. 


18 Automation of Searching.. 

Introduction. 

Why Automate Searching?, 


.172 

.175 

.175 


179 

179 

182 

186 

189 


190 

195 


,197 

,197 

,202 


,205 


...209 

,..209 

,..210 


,215 

,215 

,219 

,221 

,223 

.225 

,225 















can create nightmares for enterprise IT security and management. 

As Stewart Baker, former NSA general counsel and assistant secretary of the 

able to the privileged and rich as we balance privacy rights with security concerns. 
He does not worry so much about government surveillance, after 60 years of IT 
growth, as he does about private-sector and black-hat hacker (e.g., Anonymous) 

increased risks and vulnerabilities will demand the sacrifice of privacy, as we 
struggle to adopt effective security measures. Similarly, Richard Clarke, antiterror¬ 
ism and cyber security coordinator for several US presidents, predicted that cyber 
attacks, both by nation-states and criminals, will result in additional billions of dol- 


China and Iran. 4 Clarke noted that we cannot defend ourselves successfully against 
a cyber attack, especially when we cannot prove who conducted it. 





ees, contractors, and customers, the American enterprise appears to believe that 

networking and websites as necessary means of interaction and transactions. Hie 
competing philosophies of exposure and protection of information only seem to tilt 
toward more security when disaster strikes, and then the expense and complexity 


A key concept of critical infrastructure protection, which appears to lack accep- 
the need to ensure that each individual meets the standards of the agency or busi- 

human resource (HR) or human capital have meaning beyond mere “personnel,” 
it is that the right people, carefully chosen and fully supported, make a success¬ 
ful enterprise. However, paralysis and low budgets among the key actors in HR, 
legal, security, and IT departments often cause insufficient vetting (both before and 
after hiring); overreliance on technical measures to protect systems, networks, and 
data; and insufficient investment in employee orientation, training, supervision, 
mentoring, and monitoring to ensure information assurance. Because nearly every 
organization is dependent for its existence, operations, and progress on its informa- 

when corporations hoard cash and ignore the critical value of the individual insider, 
it is not surprising that catastrophic failures occur. 

of cyber security and the trends in motion. A large number of such reports were 
reviewed in the preparation of this book, some of which are end-noted. While 
I remain skeptical of the reliability and specific value of the statistics in cyber secu¬ 
rity reports, like the river flowing green in Chicago on St. Patrick’s Day, one does 
not need to know how many gallons of coloring, by whom, or where the green dye 
was injected to observe that the river is now green. The state of our cyber security is 
unacceptably low. Unless we address the human factor, it will remain so. 

This book is dedicated to intelligence, investigative, and research professionals 




■ Introduction 


continually learn what is available, to collect online. Some institutions, businesses, 
and other organizations adapt more slowly than others. The law (statute, litigation, 
regulation) is also deliberate in addressing technological and social change. Because 
this book is about Internet intelligence methodology and legal frameworks, it is 
also about how to approach changes. Every effort has been made to keep this text 
forward looking, timely, useful, and adaptable to likely outcomes. 

Open-source intelligence increasingly relies on fusion of data from all-source 
collection and analysis, with Internet data included. Such intelligence is a vital part 

benchmarking, and background vetting. Without items posted online, an investi¬ 
gative report on any topic may not be timely or complete or include the basis for 

To enable collection of data documented on the Internet, it is important to 
understand the legal and privacy principles necessary to keep Internet searches law¬ 
ful, fair, equitable, and transparent, especially for cybervetting (background inves- 

This book was written to advocate improved security measures and establish 

part of investigations and intelligence collection, with legal, policy, and procedural 
principles and methods suitable to the purpose. The guidance here should help 

to apply the right techniques and thereby significantly improve their practices. 
Likewise, this book is meant to help investigative professionals develop the core 

the web on every topic imaginable and to integrate them into analytical processes 
that are useful in academic, professional, and personal life. 

It is hoped this second edition can be used to learn or review cybervetting meth- 

in integrating cybervetting into existing screening procedures, or find resources on 


Notes 

Post, December 23, 2013 (accessed April 29, 2014); and NPR summary, http://www. 
2. King, Rachael, Ex-NSA Chief Details Snowdens Hiring at Agency, Booz Allen, Wall 









BEHAVIOR AND 
TECHNOLOGY 



■ Behavior and Technology 


In this section, the need for Internet searching for in 
ting and intelligence, is explored. 


Notes 

1. Clinton, Bill, Excerpts Horn Transcribed Remarks by the President and the Vice 
President to the People of Knoxville on Internet for Schools, The White House, Office 
of the Press Secretary, October 10, 1996, http://govinfo.library.unt.edu/npr/library/ 
speeches/101096.html (accessed August 6, 2010). 

Security Resource Center, http://csrc.nist.gov/; US Department of Justice, Computer 
cybercrime.gov/linksl .htm#ISSRb. 

3. Dam, Kenneth W., and Lin, Herbert S., editors, Cryptography’s Role in Securing the 
Information Society, National Research Council (Washington, DC: National Academy 
Press, 1996); Schneider, Fred B., editor. Trust in Cyberspace, National Research Council 
(Washington, DC: National Academy Press, 1999); Lewis, James A., project direc¬ 
tor, Securing Cyberspace for the 44th Presidency, a Report of the CSIS Commission on 
Cybersecurity for the 44th Presidency (Washington, DC: Center for Strategic and 
International Studies, December 2008); O’Harrow, Robert, Jr., No Place to Hide (New 
York: Free Press, 2005). 




Chapter 1 


The Internet's Potential 
for Investigators and 
Intelligence Officers 


Introduction 

networks and all types of organizations’ computer facilities around the world. 1 
Standard Internet protocols (IPs) are used for electronic, optic, wired, and wire- 

documents, music, and videos, for example, are exchanged on the World Wide Web, 
which has made the words web and net more or less synonymous with the Internet. 

By design, the Internet is “public.” Incredible quantities of data on the Internet 
are available to anyone with a computer and a browser. Some websites limit access 
to hosted data in various ways, and some allow the individual posting informa¬ 
tion to invoke privacy restrictions on unauthorized access. If no limitations apply, 
posted information is open to the public. Some websites require users to register 
to gain access to data, but registered users are not restricted in their use of the 
site’s data, within its authorized use policy (AUP) and applicable copyright and 
trademark law. Therefore, on a great number of sites, the posted information could 

tain uses of hosted information, such as for commercial purposes or marketing 
(e.g., spam, unsolicited commercial e-mail). Advanced computer users (“hackers”) 
might be able to bypass programs restricting access and illicitly view, copy, delete 
or alter data, or reprogram servers online. Users often must agree to abide by AUPs 













Cybervetting 



















investigators, human resour< 
ing people in the workplace 
potentially useful. Today, th 
subordinates, and just aboui 
nizations wait to consider tl 
vetting in personnel proces 
procedures, and methods fc 

to fill in online application 
preemployment processing. 1 


: staff, attorneys, and everyone else involved in assess- 
includes googling applicants, co-workers, superiors, 

right (ethical, fair, effective) way to include Internet 
s, the staff has already adopted their own policies, 
inquiring into individuals’ online presence. 17 Many 

rms and communicate at least in part online during 
tomation not only makes the process potentially more 









12 ■ Cybervetting 


or documented online (e.g., Title VII attributes like sex, race, nationality, religion, 
etc.). Many such factors are perceptible to those processing applicants from sources 
other than the Internet. There is no valid inference that mere knowledge of such a 
factor resulted in discrimination. However, the process of documenting results of 
cybervetting may be critical to remove doubt that discrimination may be present in 
the adjudication of background investigation results, regardless of the sources used. 

Today, an individual’s social circle may not be defined as much by geography 
as it is by electronic connectivity. Using social networking websites, instant mes- 

themselves by posting it online or sending it (illustrated with photos, video, and 
sound) to a list of friends and acquaintances located nearby or far away—or to any 
of several billion Internet users who care to look. The profiles created often include 
peccadilloes, problems, and misbehavior unlikely to have been communicated or 
documented electronically in a previous era. 21 To address publicly posted evidence 
of misbehavior, about 45% of employers (up 20% from the previous year) told a 
2009 CareerBuilder.com survey that they search the Internet for social postings 
by applicants to see if what they find may have an impact on a hiring decision. 

in “no-hire” decisions. Among the reasons cited in the CareerBuilder survey for 

or drug use; bad-mouthing previous employers, co-workers, or clients; poor com¬ 
munications skills; discriminatory comments; misrepresentation of qualifications; 


A Practitioner's Perspective 

In over 8 years of systematic Internet searches on individuals under investigation, 

exclusively seen online and some collected both on the Internet and from other 
sources. The vast majority of the information found supports subjects’ candidacies, 

in nature. In our experience, about 10% of those being screened for employment 
have had references online significant enough to warrant concern about their eli¬ 
gibility or suitability. Results of two studies supporting the 10% derogatory ratio 
of cybervetting results appear further along in this book. During investigations 
and collection of open-source information about suspected individuals (those likely 
to have committed wrongdoing), we have found online documentation of illegal, 
illicit, or socially unacceptable behavior considerably more often than not. The bot¬ 
tom line is that the Internet is a valuable source of information on individuals. 

organizations of all kinds, groups, entities, brands, and topics are profiled more 
efficiently when Internet sources are used, in addition to any other investigative and 






and books illustrating how important reference materials online have become to 

keting and sales purposes, with over 400 different tools providing corporations 
instant feedback on customer perceptions. 25 


The Search 

Creation and innovation in Internet search tools have provided the opportunity 
for Internet research to grow quickly. Finding open-source information on virtu- 

internet continuously expand. The quantity of data itself has become an issue, as 
expansion of information, storage capacity, and online availability (e.g., through 

Internet itself is estimated to contain 71 billion web pages, 27 the human genome 
mapping project and astronomical data online contain many terabytes of informa¬ 
tion, and more than 500 million Facebook users spend 8 billion minutes daily 
uploading photos (1.2 million per second). 28 The International Data Corporation 
reported that the amount of global data created and replicated during 2012 was 
2.7 zettabytes. 29 Cisco estimated that by 2017 the amount of global IP traffic will 
reach 1.4 zettabytes a year. 30 Because most humans are still struggling to under¬ 
stand that 20 gigabytes of data constitute a pile of 8.5 by 11 inch, single-spaced, 

to terabytes to petabytes to exabytes to zettabytes has come all too quickly. The pre¬ 
fix zetta indicates the seventh power of 1,000 and means 10 to the 21st power in the 




Cybervetting 



Figure 1.7 Growth in stored data available online has been staggering and 
forced a change in the scales of measurement used from gigabytes and beyond to 
exabytes and zettabytes (see Note 26). 

International System of Units. (See Figure 1.7, which shows the trend in exabytes 

Based on recent statistics, it appears that hundreds of billions of queries are 
made through search engines monthly, and Google searches alone have climbed 
to over 5 billion searches daily (almost 2 trillion annually; see Figure 1.8). 31 In 
2008, Google said its search engine had “crawled” (collected and indexed material) 
from 1 trillion unique URLs (uniform resource locators), or web addresses, 32 and 
as of 2013, claimed its index contains over 100 million gigabytes. 33 Although these 
statistics are provided to give a sense of the volume of Internet searches conducted 
and data cached, their most important meaning is that Internet searches are popu- 

depend on search engines for much of their revenue. Just as we should be a bit skep¬ 
tical about the statistics’ precision, we should also understand that search engines 
exist primarily to sell, and as Googles multibillion-dollar income illustrates, the 
audience is huge and continuing to expand. Both data growth and data mining are 
related to the uses made of the Internet and its usefulness to researchers. Both 

One conclusion haunting security and counterintelligence officers is that find¬ 
ing the information needed (on or off the Internet) and information assurance will 

adjudicators, intelligence personnel, and other authorities all use the Internet to 






it hardly can be said to enjoy privacy protection. However, depending on the role 
and intentions of the searcher, Internet data that may have an impact on a deci¬ 
sion assumes another character and must be approached according to some basic 
principles. The alternative could result in unfair, arbitrary, or prejudicial treatment. 


Internet Posts and the People They Profile 

toon, in which a dog at a keyboard was speaking to another dog. 35 Even when the 
name, nickname, “handle,” or other identifiers of the person of interest appear 
on a web page, one may not know who actually posted it. Essentially, there are 
many ways to post material anonymously or falsely in another’s name, with or 
without skilled hacking or knowledge of another person’s password. Current social 




The Internet's Potential for Investigators and Intelligence Officers 


address naming have evolved to recognize the uncomfortable fact that executives 
and public figures should not employ a straightforward e-mail address lest they 

conventions create a situation in which almost everyone fails to list all their “virtual 


(e.g., John.Doe@gmail.com, John.Doe@bigbusiness.net) and a recreational, more 
online is rendered more difficult when they use multiple identities for different 




The Internet's Potential for Investigators and Intelligence Officers ■ 19 


Finding the Needles 

Those familiar with database administration will no doubt understand that the “data 
density” and unstructured formatting of Internet data add complex problems to the 
task of thorough searching. Because society has gotten used to using Google as its 
overwhelming choice for most Internet searching, it may come as a shock that Google 
provides neither complete nor unbiased results. Although the results page may show 

10 at a time, unless you adjust the settings. Google (and similar search engines) use 

Rather than searching the Internet that exists at the moment the search is launched, 
search engines refer to mammoth databases of information collected (“cached”) and 

by month. Not all websites, and not all pages or website-accessible databases, allow 
spiders to record their contents. Therefore, even in the best of circumstances, a search 
engine can only deliver a small portion of available information to the searcher. 39 

A key challenge is finding information identifiable with a person, entity, or 
topic of interest. The volume of data available on the Internet is such that there will 

information is necessary. Further, finding references and links that lead to more 
useful, detailed, or relevant information (based on the purpose of the search) is 
at times a difficult task. Many researchers become so bogged down in “hits” from 
search engines that they fail to utilize the wide variety of sites where databases with 

social networking, business or organizational websites, and activity group sites like 
blogs, calendars, and chat. Mining data that could more likely provide accurate, 
detailed results requires insightful analysis of the subject of inquiry, based on his or 
her known profile, and exploiting Internet sites likely to provide nonindexed (but 
richer) information. In short, nothing can substitute for knowledge of and experi¬ 
ence on the Internet (not even Google). 


The Need for Speed 

tion, filtering, and analysis is an important aspect of searching. If they take too long, 
Internet searching and analysis become counterproductive as investigative methods. 
Fortunately, search and analysis tools enable much greater efficiencies. A 40-hour 

lysts, provided that they have the right systems, processes, training, and experience. 
Over 8 years’ experience with my group of skilled web searchers have proved two 
insights: The human analyst remains a key processor in Internet searches, and two or 






20 ■ Cybervetting 


its will most often come up with better results if they work as a 

to differ, no one analyst knows (or thinks of) all the possible Internet sources to use, 
and two or more heads are inevitably better than one. A corollary is that by pursu- 

confines the search to the first set of references that are presented by a search engine. 
When appropriate technology and methodology are applied, Internet searching can 


Sufficiency of Searches 

Because the oceans of data available on the Internet contain valuable facts on many 

tigations and intelligence production. For individuals, businesses, and government 
n Internet presence is critical for networking, information dissemina- 

data of all kinds accessible online are paying off, as reference materials, govern¬ 
ment records, media reports, books, and profiles of people have been added. Along 

hundreds of millions of users. Both the benign and the derogatory appear in large 
quantities of references on people, enterprises, and topics. It follows that business 

has the facts needed to make timely, valid decisions. Over the past several years, 
extensive Internet research has demonstrated that unique and valuable information 

and vetting. Unfortunately, many firms, agencies, and organizations lack a policy, 
procedures, or a thoughtful approach to Internet searching. This does not mean 
that searches are not conducted. Quite the contrary: Searches are done in great 
numbers, many incompletely or poorly, and results are not always used as they 

can structure its approach to Internet searching so that results are not only useful 
but also lawful, fair, and fully within national and international standards. 


Notes 

1. Merriam-Webstcr, Internet definition, http://www.merriam-wcbster.com/netdict/ 
internet; Wikipedia, http://en.wikipedia.org/wiki/Intemet (accessed October 24, 2013). 

2. Organization for Economic Cooperation and Development (OECD) resources on 

oecd!lrg/document/56/0,3343fen_2l57136l_34590630_34^474l6_l_l^l_l,00. 






The Internet's Potential for Investigators and Intelligence Officers ■ 


Pages/Trend-Data-(Adults)/Whos-Onlinc.aspx (accessed October 25, 2013). § 

5. Hie Zettabyte Era, Trends and Analysis, Cisco estimate of Internet traffic growth, 
http://www.cisco.com/cn/US/solutions/collatcral/ns34l/ns525/ns537/ns705/ns827/ 
VNI_Hyperconnectivity_WP.pdf (accessed October 25, 2013). 

6. Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 
2012-2017, http://www.cisco.com/cn/US/solutions/collatcral/ns34l/ns525/ 
ns537/ns705/ns827/whitc_papcr_cl l-520862.html; http://tools.cisco.com/scarch/ 
rcsults/cn/us/gct#q=total+Global+IP+traffic&pr=enushomesppublished&basepr 

=&to=0&fr=7&un=true&aus=false&cc=0&pf=& (accessed October 25, 2013). 
(accessed October 25, 2013). 

8. Madden, Mary, and Jones, Sydney, Networked Workers, September 2008, http://www. 
pewinternet.org/Reports/2008/Networked-Workers.aspx (accessed November 3, 2013). 

9. Meetings of Computer Crime and Digital Evidence Ad-Hoc Committee, International 
Association of Chiefs of Police, 2005-2012, in which briefings were received from law 
enforcement on computer crime and digital evidence trends seen by law enforcement 

10. King, Rachael, Departing Employees Are Security Horror, Wall Street Journal, 
October 21, 2013, http://online.wsj.com/news/articles/SBl000l4240527023034420 
04579123412020578896 (accessed October 25, 2013), reporting results of a survey 

11. See Note 9. 7 

12. Halpin, James, Prostitution Moving from Street Corners to Online Ads, Experts 
Said, Scranton Times-Tribune, October 13, 2013, http://thetimes-tribune.com/news/ 
prostitution-moving-from-street-corners-to-online-ads-experts-said-1.1568034 
(accessed October 25, 2013). 

bitcoin-drug-0345l6881.html (accessed October 25, 2013). 

14. Anderson, Janna Q., Elon University, and Rainie, Lee, Pew Research Centers 







■ Cybervetting 


18. Nixon, W. Barry, and Kerr, Kim M., Background Screening and Investigations, Managing 
Risk from HR and Security Perspectives (New York: Elsevier, 2008). 

19. Studies and investigations I conducted of thousands of individuals have found that a 


20. Security Policy Reviews, Intelligence Office, National Security Council, The White 
House, Washington DC, January 1995-May 1997, by the author as director, Security 

Evaluation of DCID 1/14 Investigative Requirements (Washington, DC: Director of 

interviews, which are also the most expensive and time consuming.” PERSEREC, 
SSBI Source Yield: An Examination of Sources Contacted during the SSBI, TR 96-01, 

21. Madden, Mary, Fox, Susannah, Smith, Aaron, and Vitak, Jessica, Digital Footprints, 
Online Identity Management and Search in the Age of Transparency, Pew Internet and 
American Life Project, December 16, 2007, http://pewresearch.org/pubs/663/digital- 
footprints; (accessed June 24, 2010). 

candidates/ (accessed March 30, 2010); Kwoh, Leslie, Beware: Potential Employers 
Are Watching You, Wall Street Journal, October 29, 2012, http://online.wsj.com/ncws/ 
articles/SBl0000872396390443759504577631410093879278#printMode (accessed 
October 25, 2013). 

23. DeMcrs, Jayson, The Top 7 Online Marketing Trends that Will Dominate 2014, 
Forbes, September 17, 2013, http://www.forbes.com/sitcs/jaysondcmcrs/2013/09/17/ 


AORN Journal, September 2000; Cassell, Kay Ann, and Hiremath, Uma, Reference 
and Information Services in the 21st Century, An Introduction, 2nd cd. (Chicago: Ncal- 

25. Brynley-Jones, Luke, What to Look for in a Social Media Monitoring Tool, November 
2012, http://socialmediatoday.com/lbrynleyjones/993011/what-look-social-media- 

26. IDC Digital Universe Study—Data Growth, http://gigaom.com/2013/10/02/how- 
the-industrial-internet-will-help-you-to-stop-worrying-and-love-the-data/screen-shot- 
2013-09-24-at-4-l 1-40-pm/ (accessed November 4, 2013). 

27. Ohio State University Internet guide, http://liblearn.osu.edu/guides/weekl/pg6.html 
(accessed November 4, 2013). 

28. Barbara, John J., Data Storage Issues, DFI News, September 17, 2013, http:// 
www.dfinews.com/articles/2013/09/data-storage-issucs (accessed July 15, 2004) 
et_cid=3555443&ct_rid=454846245&type=cta#.Um7KDM3D_IU. 

29. IDC Predicts 2012 Will Be the Year of Mobile and Cloud Platform Wars as IT Vendors 
Vie for Leadership While the Industry Redefines Itself, December 1, 2011, http:// 






The Internet's Potential for Investigators and Intelligence Officers 












Cybervetting 




Behavior Online 


widespread exposure of postings. Note that sites’ AUPs may forbid certain uses 
of information (e.g., collecting users’ identifying data for commercial advertising 
purposes), but having an account allows a user to see other users’ public profiles. 
Although users can invoke privacy controls, a large number do not choose to do 
so. 10 This results in a large number of postings of a potentially offensive nature, 
such as self-admitted drug and alcohol abuse and postings offering pornography. 
Employees using ostensibly innocent sites can expose the workplace to those offen- 

inside the workplace. 

Increasingly, businesses monitor or block employees’ Internet surfing, personal 
e-mail, blogging, social networking, shopping, and other online activities on com¬ 
pany machines. A substantial percentage of monitored employees are caught and 
disciplined or fired for improper systems use. Most employers told an American 
Management Association survey 11 that although they notify employees of the mon¬ 
itoring, there is an increasing incidence of disciplinary action. Clearly, this indicates 
that the temptation to abuse employers’ systems overcomes the threat of disciplin- 

for e-mail misuse. At the root of concern is accountability for online actions. As 

didates’ Internet habits before hiring and employers who monitor employees’ work 
computers on the job. As yet, formal Internet vetting appears not to be a common 
practice, at least not so common that it was included in the survey. 

The incidence of employee criminal activities detected has grown, according 
to recent surveys, including studies of identity theft, retail industry losses, data 
breaches by insiders and outsiders, and intellectual property loss. 12 An additional 

cases that go to jury trials, as cited by Barry Nixon and Kim Kerr in their excel- 

trends suggests that employers have reason for concern about the potential inci¬ 
dence, impact, and security implications of illicit computer use by both candidates 


Evolution of Internet Uses 

Online activities’ popularity and participation reflect the massive surge of individu¬ 
als of all ages and nationalities embracing the Internet, some allowing migration to 
automated versions of physical activities (e-mail for postal mail) and some for the 
new forms of Internet social interaction, entertainment, education, e-commerce, 

width has allowed films, music, video, and TV to stream into computers, handheld 
devices, and television sets, disrupting traditional sources, while adoption of 4G 











adults (not just teens) to use sites like Facebook and Twitter daily. For ex 

become popular, particularly with younger (age 40 and under) users. As 
on society of daily Internet use has progressed, so has the “power user” 

the same category as ordinary users because they can be a valuable resoi 
employer or group, but they can also pose a danger if they are incline* 
computing devices (see Figure 2.6). 

For well over half of the adult population, 18 mobile and wire line ; 

less broadband networking and handheld devices, at home, in the wor. 


:ernet use. The digital content on the mobile device often prompts more 

net experience easily switches to “on the go” as the handheld becomes a 
lentary access point to connect with people and digital content wherever a 




Cybervetting 







Cybervetting 


13. Nixon, W. Barry, and Kerr, Kim M., Background Screening and Investigations, Managing 
Risk from HR and Security Perspectives (New York: Elsevier, 2008). 

14. See http://www.pewinternet.org/Static-Pages/Trend-Data-(Adults)/Whos-Online.aspx 
(accessed November 14, 2013). 

ternet.org/Trend-Data-(Adults)/Online-Activites-Total.aspx (accessed November 14, 

16. Pew Internet and American Life Project statistics, http://www.pewinternet.org/ 
Reports/2011/Social-Networking-Sites/Report.aspx?view=all (accessed November 14, 

users&i=20, including Madden, Mary, Four or More, The New Demographic, June 
2010, http://www.pewinternet.org/Presentations/2010/Jun/Four-or-More-The- 
New-Demographic.aspx (accessed November 14, 2013). 

18. Horrigan, John, The Mobile Difference, Pew Internet and American Life, http://www. 
pewinternet.org/Reports/2009/5-The-Mobile-Differcnce—Typology.aspx, http:// 

org/Scarch.aspx?q=home%20wircless (accessed November 14, 2013). 

media//Files/Reports/2007/PIP_ICT_Typology.pdf.pdf (accessed June 24, 2010). g 

20. US Department of Justice, press release, August 2, 2007. On August 1, 2007, Xiaodong 
Sheldon Meng, 42, formerly a resident of Beijing, China, and resident of Cupertino, 
California, pleaded guilty to violating the Economic Espionage Act (EAA), the Arms 
Export Control Act (AECA) and the International Traffic in Arms Regulations (ITAR), 
http://www.usdoj.gov/criminal/cybercrime/mcngPlea.htm (accessed May 5, 2009). 

21. Teens, Social Media, and Privacy, Pew Internet and American Life Project, http:// 

Part-2 P aspx (accessed^anu^ry 25, 2014). 

22. O’Harrow, Robert, Jr., No Place to Hide (New York: Free Press, 2005). 







Chapter 3 


Use and Abuse: Crime 
and Misbehavior Online 


Introduction 

In 2011, at least 2.3 billion people, the equivalent of more than one-third of the 
world’s total population, had access to the Internet. Over 60% of all Internet users 
are in developing countries, with 45% of all Internet users below the age of 25 years. 
By the year 2017, it is estimated that mobile broadband subscriptions will approach 
70% of the world’s total population. By the year 2020, the number of networked 
devices (the “Internet of things”) will outnumber people by six to one, transforming 

will become hard to imagine a “computer crime,” and perhaps any crime, that does 
not involve electronic evidence linked with Internet protocol (IP) connectivity. 1 

Computer-based crime (i.e., criminal acts committed using computers or where 
computers hold evidence of a crime) is poorly measured. Unfortunately, few if 
any solid metrics are available on the incidence, proportion, or impact of illegal 
Internet uses. Regional computer forensic laboratories run by the Federal Bureau 

increases in the types, numbers, and quantities of data involved in all criminal 
Congress 3 that 

The diverse threats we face are increasingly cyber-based. Much of 
Americas most sensitive data is stored on computers. We are losing 
data, money, and ideas through cyber intrusions. This threatens inno¬ 
vation and, as citizens, we are also increasingly vulnerable to losing 


39 






■ Cybervetting 


against candidates for employment whose online misbehavior may be discoverable. 
Unfortunately, most cybercriminals have no arrest record. As with all types of crim- 

like drug trafficking to annoying spam and pop-up ads. Like legitimate businesses, 

and Internet anonymity can facilitate efficiency, rapidly scaled marketing, quick 
sales growth, and customer satisfaction. 10 

A good example of organized Internet crime is illicit online pharmaceuti- 

generic drugs, ostensibly from Canada and Europe, but predominantly from 

age US consumer, facing high drug prices, cannot easily determine the legitimacy 
of the discount products or websites. US, Canadian, Russian, Chinese, and Indian 
organized criminals offer prescription drugs without a prescription and ship or 
mail medicines to customers who will not know if the pills are poison, counterfeit, 
generic, or the real thing. Even repackaged, diverted products appear in Internet 
pharmaceutical channels. It is a classic case of the web s ability to host black, gray, 


Digital Delinquency 

By its nature, the Internet has spawned illegal activities that are digital. For exam¬ 
ple, sales and bartering of misappropriated content such as films, videos, music, 
audio, software, designs, and other intellectual property have become lucrative 
businesses. Like a criminal form of eBay or craigslist, websites host auctions and 
sales of stolen credit card data and purloined personal identities. New software 
and networking systems have been created to facilitate transfer of large digital files, 

sync files of any size.”). 12 

Old-fashioned fencing and duplication of stolen DVDs have been joined by 

some cases, individual sites host no technically illegal content (e.g., by hosting only 
a part of a pirated film), and only a central controllers permission allows users 
to access, download, verify, and reassemble the whole thing. Some criminal sites’ 
sophisticated uses of authentication, encryption, compression, and high-bandwidth 
transmission at times exceed the norm of commercial Internet services. 


"Free" Intellectual Property 

Although copyright violations are illegal, especially for commercial rather than 
personal use, Internet file sharing has given rise to a quasi-religious belief that 











Chapter 4 

Internet Search Studies 


Introduction 

years, and until recently, compelling evidence has been lacking about the neces¬ 
sity and value of cybervetting to an enterprise. A key question is what kind of 





ussion that follows summarizes the results of a study 2 conducted to ascer- 
many volunteers from a population of university students would be found 
issues identified by Internet searching that could preclude their employ- 
a clearance under the federal Adjudicative Guidelines for Determining 


Lack of allegiance to the United States: treason, sabotage, anti-US acts, extremism 
Foreign influence: foreign relatives, relationships, sympathies, or coercion 
Foreign preference: dual citizenship, loyalty to another nation or anti-US group 

Financial considerations: financially overextended, dishonesty, unexplained affluence 
frequently drunk, binge drinking 

Psychological conditions: emotional disorders, mentally ill, unreliable or unstable 
Criminal conduct: a serious or multiple minor crimes, whether or not 
charged/convicted 










■ Cybervetting 


iNameCheck Cybervetting Case Study 

I conducted a second study by reviewing all of the investigations of my firm, 
iNameCheck. The goal was to find those background investigations conducted on 
individuals who were not suspected of misbehavior, illegal activities, or the like. The 
group of inquiries selected comprised applicants or candidates for positions and sub¬ 
jects of due diligence and legal support investigations. Each investigation included 
reviews of information found online that could have an impact on a judgment 
about the persons suitability for employment, reliability, trustworthiness, or the 
like (i.e., cybervetting). To provide an objective means of determining that results 
were either derogatory or not, the Adjudicative Guidelines outlined were adopted 
as an assessment tool. In each case reviewed, minor issues (e.g., old traffic citations, 
single instances of posting crude language, common debt problems, and the like) 
were deemed insufficient grounds for a negative finding. However, for purposes of 
this study, a large number of such minor issues or aggravated instances (e.g., DUIs, 
repeated use of racist or profane postings, bankruptcy, multiple civil lawsuits, liens 
or judgments, and flagrant, repeated recent misbehavior) were deemed derogatory, 
as were substantial issues needing resolution through further inquiry. 

Over 1,900 iNameCheck cases were reviewed, and 736 cases on people (70% 
male, 30% female) were found for which cybervetting was used in the subjects’ 

doing or derogatory information. Subjects who were suspected of wrongdoing 
or who were investigated for a purpose unrelated to an assessment of suitability 
(e.g., attempts to locate an individual) were not included in the study. Reports of 
findings in the 736 investigations were reviewed, and 232 (31.5%) contained sub¬ 
stantial derogatory information concerning the subject. Derogatory findings were 
present in the cases of 66 females (28.4% of negative findings, 30% of females 
investigated, and 8.96% of all 736 reports) and 166 males (71.6% of negative find- 

percentage of cases with findings of derogatory information in this batch of cases 
was substantially higher than one might expect, as 6% to 10% of reports from a 
presumably innocent population would normally be expected to have substantially 
derogatory findings. One implication of these results is that including cybervetting 
in background investigations could uncover substantial issues for about 30% of a 

Tables 4.1 and 4.2 show the nature of the derogatory findings, broken down 
by male and female subjects, respectively. Financial, foreign influence, and crimi¬ 
nal issues formed the most frequent of derogatory findings. Misbehavior and bad 
judgment, shown by a pattern of civil suits, misdemeanors, and alcohol and drug 
abuse, were also present, as expected. Because the guidelines were used as a thresh¬ 
old for identifying issues, it is possible that individual cases would be resolved in 
the subject’s favor on review and adjudication. However, cases involving glaring or 
unresolved substantial issues were identified and categorized as set out previously. 








and similar “traditional” investigative steps would also be expected to yield many 
of the same findings. Cybervetting was found in many of the cases reviewed to 
provide leads that could be used to verify or add details to issues identified, such as 

jects social networking friends. Although it is not possible to accurately speculate 
on how many of the issues identified might not be found in a traditional investiga- 

without foreign influence issues) are a bright red flag, suggesting that cybervetting 
Based on the results of both studies, here are a few important observations 


■ A significant number of issues could go unidentified without cybervetting. 

■ Some of the issues that might go unidentified, including drug and alcohol 

online, could lead to significant problems on the job or in a position of trust. 

■ Online misbehavior issues identified through cybervetting could be expected 
to reappear as a person uses an employers computers, networks, and data. 

on-the-job monitoring of those hired could expose an employer to significant 

■ Intelligence and leads gleaned from a cybervetting program, handled prop¬ 
erly, enable an authority to identify and address risks with candidates prior to 
their appearance later, on the job. 

■ Failure to look for and find obvious online issues could subject an enterprise 
to losses, damage, and legal sanctions for neglecting to exercise due care in 
personnel security, including vetting. 




Internet Search Studies ■ 57 


cybervetting outlined here and elsewhere in this book, the evidence for its necessity 
is overwhelming. Further, it is clear to me that the costs for failing to include cyber¬ 
vetting in personnel security and background investigations will be substantially 
higher than that for incorporating the practice into existing programs. 


Notes 

1. Jodka, Sara H., The Dos and Don’ts of Conducting a Legal, Yet Helpful, Social Media 
Background Screen, Law Practice Today (American Bar Association monthly magazine), 
September 2013, http://www.americanbar.org/content/newsletter/publications/law_ 

2013). Clark, L., and Roberts, S., Employer’s Use of Social Networking Sites: A 
Socially Irresponsible Practice, Journal of Business Ethics, 2010, http://homcpagcs. 
se.edu/cvonbergen/files/2013/01/Employer%25E2%2580%2599s-Use-of-Social- 
Networking-Sites_A-Socially-Irresponsible-Practice.pdf (accessed January 20, 2014). 

2. Holt, Thomas J., and Appel, Edward J., Sr., Detecting and Assessing Online 
Misbehavior by Candidates and Employees of DoD: Phase II—Identifying Issues of 

by iNameCheck (authors firm) and Michigan Smtc University CollegeCriminal 
Justice, December 2012, for the US Department of Defense Personnel Security 
Research Center. 

3. Code of Federal Regulations, Government Printing Office, July 2012, http://www. 
gpo.gov/ fdsys/pkg/ CFR-2012-title32-voll /xml/ CFR-2012-title32-voll -parti 47 .xml 
(accessed January 28, 2014). See Chapter 9. 







Chapter 5 

Implications 
for the Enterprise 


Introduction 


Surveys, media reports, and quotations suggest that because of online misbehavior, 
some employers are adding Internet searches to prehiring background investiga¬ 
tions. 1 Although studies of what is often called “social media vetting” vary on the 
percentage of employers, recent surveys have verified indications over the past sev¬ 
eral years that many employers do some form of cybervetting: 2 

reported using social media in hiring. 






■ 24%—Lying about qualifications. 








60 ■ Cybervetting 


However, the media reports appear to indicate that most private- and public- 
sector employers lack several key ingredients necessary for fair, legal, and appropri¬ 
ate use of Internet searching for hiring adjudications, including a written policy, 
procedures, antidiscrimination measures, search methodology, adjudication meth¬ 
ods, notice to applicants, consent (as currently used for background investigation 
interviews with prior employers or schools), and an opportunity to correct adverse 
findings. 3 These and certain other procedures would insulate an employer from 
potential liabilities arising from Internet searching, including possible violations of 

cedures and safeguards, an employer’s human resources and other decision makers 
might use Internet searches and the results thereof inappropriately. 

A related trend is for employers to spend considerable sums on systems to monitor 
their employees’ use of work information technology (IT) systems for online mis¬ 
behavior, blocking access to certain Internet sites, filtering and archiving e-mail, and 
even key logging. 4 In recent years, the costs of litigation, losses, and reputational dam¬ 
age to enterprises that failed to control employees’ systems misuses have skyrocketed. 


The New User: Someone You Would Trust? 

Background investigations, combined with resumes, applications, interviews, and a 
“whole-person” evaluation of eligibility, qualifications, experience, and compatibility 

investigations, vetting allows an employer to consider facts and observations in mak¬ 
ing a decision. When the open position has multiple applicants, the goal is choosing 
among those most competitive and likely to succeed. The applicant’s profile—factual, 
verified, and analyzed—is the basis for adjudicating whether to hire the individual. 
In this context, analysis of prior computer/Internet use has somehow been omitted 
by many employers. Most US employees (62% in 2008) use the Internet or e-mail at 
work, and nearly all of those own personal cell phones and computers, according to a 
Pew Internet and American Life study. About 45% of employed Americans reported 

of automation on employees, several recent trends are significant: 

1. Most US workers come into a job with prior online experience. 

2. Most US workers are granted immediate access to their new employer’s 
IT systems. 

3. The “networked worker” of today is much more likely to use computers and 
devices to accomplish a mix of personal and professional tasks throughout 
the day, whether it is a workday or day off and whether during work hours or 

4. Workers carry networked devices, including cell phones, laptops, and tablets, 
and are likely to bring them to work. 








■ Cybervetting 


Another motivator for employers is the potential cost in lost bandwidth, work 
hours, and reputation of employee Internet use for personal purposes, such as social 
networking, shopping, stock trading, surfing the net, and other non-work-related 
activities. One case involved a government employee who was caught burning porn 
videos from the Internet onto DVDs all day at work, then selling the DVDs from 
home. It turned out that the heavy-duty DVD burner and DVD blanks were pur¬ 
chased through the agency supply office. 

domestic violence, harassment, and other issues arising from Internet use at work. 
When a candidate or onboard employee has a past history of misbehavior that can 
be carried out or facilitated by Internet use, the employer would be well advised to 
consider the persons prior online behavior. Should the employee act out illegally in 
the physical world with potential digital evidence, a subsequent investigation would 
be likely to include both work and personal computers, especially if the employer 
does not prevent misbehavior online by using stringent controls on IT systems. 

nal and civil investigations, the employer who is not acting to prevent misuse may 
find that internal security lapses are the least embarrassing and potentially costly 
aspects of risk incurred. 

Introduction of digital forensic evidence is evolving along with the technolo- 

challenges is to find the fit within a traditional legal context for electronic files that 
are readily changeable; may require expert interpretation; challenge hearsay, best 
evidence, and chain-of-custody rules; and often need systems administrators to 
introduce them in court. “Tcchnospeak” may confuse the court officers, juries, and 
witnesses. A witness presenting what he or she knows may be hard to distinguish 
from one providing an opinion about the attribution of documentation. Judges 
must apply rules with limited precedent and sometimes-questionable expert advice. 

admitted into courts and play a vital and increasing role in both criminal and 
civil judgments. 


Vetting, Monitoring, and Accountability 

A somewhat controversial area of best security practices is employers’ approach to 

computer use; the degree to which enterprise systems are monitored to prevent, 
detect, and mitigate potential abuse; and the accountability (or lack thereof) to 

Monitoring of one’s own IT systems has become an imperative today, if only to 





Implications for the Enterprise ■ 63 


prevent viruses from bringing down computers vital to production. The question 
with which most employers struggle is what kind of monitoring is appropriate and 
cost-effective. Further, what will be done with employees or other authorized users 
(perhaps including vendors, partners, and customers) who violate the AUP? 

Americans’ acute sense of privacy and desire to be left alone by authority 

Because the sociological aspects of Internet use are progressing more rapidly than 

think carefully about not only what security measures to employ, but also what to 
do with information demonstrating the culpability of an authorized user. Simply 
because an act is against the rules is not necessarily a reason to take draconian 
measures, yet failure to address bad behavior is a recipe for further, more damaging 

person’s misdeeds because the employer cannot afford to fire the entire department. 
For example, a large employer found that a group of technicians were all enjoying 

Further, the employer may not make the essential connection between the initial 
assessment of a new employee’s proclivity to misbehave online in the context of the 
monitoring and controls that are routinely exercised in the enterprise. In any case, 
an employer needs to analyze security risks and countermeasures as they relate to 

In the social contract that has evolved since automation became so much a part of 
our lives, new philosophical issues have arisen. 7 Can an enterprise survive and succeed 
if its people, systems, networks, and data are constantly at risk because of individual 
users’ misbehavior? Will the best-available workers wish to work in a place where 

employer in the information age find the right mix of humanity and authority for the 
workplace? Cynics may point out that, in the past few years, more Americans have 

dally in the recession under way at this writing, is merely a way for firms and 
ve the lack of sufficient income and the overgrown structure that so 

issue when keeping the job at all is a struggle, even for the best workers. 

ing foundational elements: 


■ Enterprise systems, networks, and data confidentiality, integrity, accessibility, 
and security depend on each and every authorized user. 

■ Users should expect, and be notified, that all computer systems are monitored. 

■ When an authorized user is documented abusing AUP rules, discipline will result. 





Implications for the Enterp 


The Evolving Personnel Security Model 

In the early 1990s, when the Internet was just starting to take off as a massively 
scaled platform for networking, security strategies for government and business 


1. Incorporate risk management (rather than risk avoidance) 

2. Provide critical infrastructure protection (to mitigate against failure of 
vital resources) 





■ More people are vulnerable to severe financial stress, a prime motive for espionage. 

■ Gambling, drugs, alcohol, and other expensive vices contribute to financial 
stress and impulsive illicit acts. 

■ Employer-employee dynamics today often do not include mutual loyalty and 

acts of revenge by disgruntled employees. 

■ Ethnic, ideological, and global conflicts and population mixtures are chang¬ 
ing, with multiple philosophies motivating mobile actors to commit espio¬ 
nage for what they believe are justifiable reasons. 


Government agencies’ and high-tech firms’ background investigations are 
aimed at preventing the hiring and clearance of persons whose prior behavior proved 
that they were untrustworthy. Information age employers have not all confronted 

employee still qualifies for a clearance). To establish a candidate’s trustworthiness 
for initial hiring, employers need to consider several factors currently ignored by 
the vast majority of enterprises, including an applicant’s history of 






Implications for the Enterprise ■ 


■ Cracking, malware creation or use, and other malicious code experiences 

■ Anonymous Internet activities and avoidance of IT systems controls 

Admitting prior misbehavior of some types cited may not be sufficient reason 
to deny employment to a candidate. As with adjudication of other types of deroga¬ 
tory background investigative results, the employer should consider the serious¬ 
ness, dates, frequency, repetition, likelihood of recurrence, and willingness to avoid 
future misbehavior of the same type. Today’s employer depends on IT systems and 
knows (or should know) about the damage that only one malicious insider can 
do. Therefore, employers should upgrade their hiring processes to include prior 

are unable to answer the questions about the orientation and training needed by 
new IT systems users, especially those relating to security. For the new employee 
who is immediately granted IT systems access, the level of employer risk assumed 
is proportional to the proclivity to misuse systems, networks, and data and the 
employer’s information assurance effort. Unless the individual insider is evaluated 
for trustworthiness with access to IT systems, the employer could be said to be 
negligent in IT security practice. 

Beyond hiring, the lessons of insider crime suggest that there is always a danger 
of “good employees going bad.” Mitigating this risk is essential but difficult. The 
individual’s online behavior should be reevaluated periodically, and perhaps ran- 

uled drug testing. One potentially successful strategy is continuous monitoring 
of insider actions to prevent, detect, and mitigate IT system abuse. Another is to 
conduct follow-up vetting. 

Because computer misuse at home may have an impact on an employer’s sys¬ 
tems, data, and reputation (among other things), checking employees’ recent online 
activities (i.e., those that are public) can help find the few insiders who pose a 
threat to the employer. The employer may discover behavior of concern that can be 
addressed soon enough to deter the insider from acts that are more damaging. If 
serious wrongdoing is uncovered, it is better to address such problems sooner rather 
than later. 

Examples of the insider as traitor include the following: 


hacker who became a cracker) was adept at pr 
to the deaths of 10 or more sources of US intelligence, who risked their lives as 







68 ■ Cybervetting 















Implications for the Enterprise ■ 


To be successful, today’s personnel security model must incorporate an evalu¬ 
ation of authorized users’ past computer system abuse, if any, and include peri- 

proprietary systems and data with which they are entrusted. If the IP protected is 
highly valuable or priceless, “trust but verify” must be the mantra. 


Notes 

1. Rosen, Jeffrey, The Web Means the End of Forgetting, New York Times Magazine, 
July 25, 2010, http://www.nytimes.com/2010/07/25/magazinc/25privacyt2. (accessed 
July 25, 2010); quotes recent Microsoft survey saying75% of US recruiters and human 

about candidates, and nuany use arrange of sites when scrutinizing applicants, include 
websites and blogs, Twitter, and online gaming sites. Seventy percent of US recruiters 

2. Jodka, Sara H., The Dos and Don’ts of Conducting a Legal? Yet Helpful, Social Media 
Background Screen, Law Practice Today (American Bar Association monthly magazine), 

3. Jodka] The^Dos and Don’ts; and Ody, Elizabeth, Keeping Your Profile Clean, 
Washington Post, May 18, 2008: “A recent survey by ExecuNet, a networking orga- 

search results.” Bigam] Kate, Employers May Be Eyeing Students’ Facebook Accounts, 
KentWired.com, 2006, related an October 2006 report by CareerBuilder.com saying 

included lying about job qualifications, poor communications skiUs^and engaging in 
criminal behavior. Peacock, Louisa, Social Networking Sites Used to Check Out Job 
Applicants, March 17, 2009, http://www.personneltoday.com/articles/article.aspx?lia 
rticleid=49844&printerfriendly=true, said 25% of employers worldwide check social 
networking sites such as Facebook and MySpace for information about job candi¬ 
dates. A 2009 study by Development Dimension International (DDI) found 52% of 

hiring decisions. Hcchinger, John, College Applicants Beware: Your Facebook Page 
Is Showing, Wall Street Journal online, September 18, 2008, http://online.wsj.com/ 
article/SB122170459104151023.html. Ten percent of admissions officers in a survey 
of 500 top colleges admitted checking social networking sites to evaluate applicants, 

2007, http://pKss.amanet.org/press-releases/177/2007-electroniemonitoring- 







■ Cybervetting 


5. Madden, Mary, and Jones, Sydney, Networked Workers, Pew Internet and American 
Life Project, September 24, 2008, http://www.pewinternet.org/"/media/Files/ 
Reports/2008/PIP_Networked_Workers_FINAL.pdf (accessed November 26, 2013). 

6. Electronic Monitoring Survey (Note 4). 

7. Hall, George M., The Age of Automation (New York: Pracger, 1995). 

8. Bouckaert, Jan, and Degryse, Hans, Opt In versus Opt Out: A Free-Entry Analysis 
of Privacy Policies, December 2005, http://weis2006.econinfosec.org/docs/34.pdf 
(accessed June 1, 2010). 

9. Shaw, Eric, Ruby, Keven G., and Post, Jerrold M., The Insider Threat to Information 
(accessed August 9, 2010). 

The Digital Dilemma, Intellectual Property in the Information Age (Washington, DC: 
National Academies Press, 2000). 

Institute, October 2000)f Kramer, L., Hcufjf R. J., Jr., and Crawford, K. S.[ 
Technological, Social, and Economic Trends that Are Increasing US Vulnerability to Insider 
Espionage, TR 05-10 May 2005, http://www.dhra.mil/perserec/reports/tr05-10.pdf 
(accessed November 27, 2013). 

12. Wise, David, Spy, The Inside Story of How the FBI’s Robert Hanssen Betrayed America 
(New York: Random House, 2002). 

13. Rowan, J. Patrick, deputy assistant attorney general, U.S. Department of Justice, 
Enforcement of Federal Espionage Laws, Statement before the Subcommittee on 
Crime, Terrorism, and Homeland Security, Committee on the Judiciary, US House 
of Representatives, January 29, 2008. Hcrbig, Katherine L., and Wiskoff, Martin F., 
Espionage against the United States by American Citizens 1947-2001, Technical Report 
02-5 (Defense Personnel Security Research Center [PERSEREC], Monterey, CA, 
July 2002). 

14. Reports of US Department of Defense, including http://www.defense.gov/news/news- 
(acccssed November 27, 2013). 

Maryland Classroom to a Hong Kong Hotel, Washington Post, June 15, 2013, http:// 
articles, washingtonpost.com/2013-06-15/world/39988583_l_anime-hong-kong- 
world (accessed November 5, 2013). 

16. Maas, Peter, How Laura Poitras Helped Snowden Spill His Secrets, New York Times, 
August 13, 2013, http://www.nytimes.com/2013/08/18/magazine/laura-poitras- 
snowden.html? (accessed November 5, 2013). 

17. NPR reports, http://www.npr.org/scarch/indcx.php?scarchinput=%22cdward+snowdcn 
%22 (accessed November 5, 2013). 








LEGAL AND 
POLICY CONTEXT 








Legal and Policy Context ■ 


involving the project, the search company for the first time is required to aggres- 
The settlement also included a fine of $7 million. Privacy advocates and Google 

collector use a proxy to “anonymize” searching so that it is not possible to know 
who is asking about whom? Are privacy options of the search engines and browsers 
used effectively? 


Notes 

1. Google, Inside Search: How Search Works, http://www.google.com/insidesearch/ 

Collecting Users’ Data Across Its Services, Washington Post, March ^ 2012, http:// 
articles.washingtonpost.com/2012-03-0 l/business/35447283_l_alma-whitten- 
google-users-google-history (accessed November 29, 2013). 

2. Schlein, Alan M., Find It Online, the Complete Guide to Online Research, 2nd edition 
(Tcmpe, AZ: Facts on Demand Press, 2001). 

3. Del Castillo, Michael, Six Kinds of Your Information Google Openly Admits to 
Collecting, August 15, 2013, http://upstart.bizjournals.com/news/technology/2013/ 

4. Streitfeld, David, 1 ^Googk Concedes that Drivc-By Prying Violated Privacy, New 






Chapter 6 

Liability, Privacy, and 
Management Issues 

Liability for Service Providers 

many types of social, recreational, hobby, communications, and business functions 
that work well and scale globally. In the early days of the Internet, it was possible 







Liability; Privacy, and Management Issues 


have been occasional cries to shut down or criminally sanction websites that have 
become a venue where illegal acts take place, including such activities as prostitu¬ 
tion, fencing, and drug sales, but in general, it is understood that websites operating 
properly still may be used in crimes. 2 


colleges, other educational institutions, and some nonprofits. Many educational 
and nonprofit sites have a large amount of storage, a variety of applications, and 
high bandwidth—just what a cybercriminal may be looking for. Educational sites 

ter, hundreds or thousands of students may “plug in” to the college information 
technology (IT) network. The educational system may be required for research, 

campus access, bill paying, and a variety of other student, faculty, and staff services. 
Often, the university e-mail system also accommodates alumni, a special target of 
solicitations for donations and support for the school. The size and openness of the 
educational IT infrastructure make it a prime target for cybercriminals, spammers, 
and marketers. As a consequence, many educational sites have found it necessary to 

integrity, and continuity, while keeping out malicious code, inadvertent infections, 
papers, bulk spam). 

These examples are not limited to ISPs, other network service providers, and 

employees have placed large quantities of contraband and illicit materials in shared 
storage (e.g., pirated MP3 music files, videos, and software in violation of copy¬ 
rights and child pornography laws). For example, an employee of a high-bandwidth 
company was arrested for running his own business on the side, selling child por¬ 
nography from his personal website that he had installed on company servers. Like 

systems and must face the fact that at least a small percentage of their users will 
misuse their systems. The larger the systems, the greater the likelihood that illicit 

decide who, in effect, will be the sheriff in town. In all the instances discussed, it is 
the people who decide to misbehave on computer systems to which they are granted 
access that cause the risk to service providers. Like viruses, illicit acts online should 
be sought out, discovered, and dealt with by Internet-connected hosts, if only for 
self-preservation and reputation protection. 


Liability for Employers 

Employers in the private sector are governed by a series of constitutional, federal, 
state, county, and local statutes and legal standards. 3 This is not the appropriate 



78 ■ Cybervetting 


place to itemize them. However, a key question that must be considered in all legal 
and policy discussions of Internet searching that applies to persons (individuals and 
legal persons) is the legal standards that must be applied. 'Therefore, it is necessary 
to focus on how one can conduct Internet and open-source information collection 
without incurring legal liability for violating a statute or standard. 

Employers must contemplate the laws that apply, whether they are conducting 
an internal criminal investigation, vetting potential employees, collecting business/ 





Liability, Privacy, and Management Issues ■ 


steps to utilize any public information in background investigations, provided that 
the process includes notice, signed (informed) consent, and a verification process. 

use and abuse and verification of their responses using Internet vetting, it would be 

methods appear in further discussion. At least 12 states, including Nevada and 
New Jersey, forbid employers from requiring candidates or employees to reveal 
social networking passwords or providing access to private postings. 6 Therefore, 

networking account, an employer should know whether that is legal. At this writ¬ 
ing, it is not illegal or unethical to access or consider publicly available Internet 
information for employment purposes. 

Most application forms and the governments SF-86 form 7 (among others) ask 
applicants to list the other names or aliases by which they are known. Because a 
large percentage of Internet users (at least 30%, based on studies by Pew and others) 
have multiple virtual identities online, it is important in the background investiga¬ 
tion process to collect them. Virtual identities include e-mail addresses, nicknames, 

for these aliases does not exceed the current norm for forms used, but 4 years’ study 

on the form. The SF-86, which is used for US government candidates for jobs with 
clearances, asks for both home and work e-mail addresses and for aliases. Recently 
added to the SF-86 are questions about prior misbehavior using computers. Yet, 
almost no agencies at this writing explicitly instruct candidates to include their 
Internet identities, which may have been used in such misbehavior. Some state stat¬ 
utes forbid an employer from requiring a candidate or employee to provide a user 
name, but it is common for user names and e-mail names to be identical. 

The discussion that follows is designed to help put Internet intelligence gather- 

developing in this area of Internet law. 


Accountability for Employees 

Automation of the workplace and widespread evolution of social norms for com¬ 
puter use have dramatically changed the landscape in ways that enterprises may not 
have considered. Habits acquired in personal computer use may invade the busi¬ 
ness, and business topics are being included in off-hours blogging, social network¬ 
ing, and a variety of other Internet activities both desirable and undesirable from 
the employer’s standpoint. In most workplaces, it is easy to acquire digital goods, 

ees, and other trade secrets and privacy-protected data. Espionage cases over the 
past 20 years in both government and industry have highlighted how much more 









Liability, Privacy, and Management i 


Perhaps it sounds too strident to observe that an employer, viewed even in the 

a wary eye. The employer, needing to keep key talent, may engage in strategies to 
use economic leverage to prevent the exodus of its brain trust. Employees, for their 
part, may collect as much data as they can from the workplace in anticipation that 
bringing the data with them will enhance their value in the next job. Several surveys 
suggested that this is actually happening frequently in the twenty-first century. 10 

Employee accountability in this context can be a sensitive topic, given the 
atmosphere described previously. However, the compact between the employer 

include a strong element of trust if the enterprise is to succeed. In most agencies and 
firms, a formula for success is holding each individual user accountable for actions 

ment. At log-on, workers should be reminded that, as a condition of access, their 
use of data and online activities are controlled by programs to prevent misuse, as 

should be stressed during indoctrination and training, and continue with periodic 
audits, reinvestigations, monitoring, and enforcement of AUPs during employ- 

reinvestigations. Like the Internet, intranet behavior can be a prime indicator of 
danger for the enterprise when users violate the law, policies, and rules. Given the 
invaluable nature of information assets, today’s automated employer owes nothing 
less to stockholders, customers, and the employees themselves than vigilance and 
efficiency in protecting its information assets from malicious users. 


Notes 

rch?q=cachc:I4J3DH5ql78J:https:/Wwxdt.org/files/InteLediary-Liability-6p. 
doc+&cd=9&hl=en&ct=clnk&gl=us (accessed November 29, 2013). 

2. Krasne, Alexandra, What Is Web 2.0, Anyway? TechSoup, December location, 
2005, http://www.techsoup.org/lcarningccntcr/webbuilding/archivcs/pagc9344.cfm 

ings of the International Association of Chiefs of Police ad hoc Computer Crime and 
Digital Evidence Committee (which I chaired 2009-2011). 

Risk from HR and Security Perspectives (New York: Elsevier, 2008). 

4. Lawson, Thomas C., Expert witness in several negligent hiring cases in California and 







■ Cybervetting 


Ben, Technology and Uncertainty: The Shaping Effect on Copyright Law, University 

files/78-depoorterl 57upalrevl 8312009pdf (accessed Dumber 18, 2(H3); American 
Bar Association Journal, http://www.abajournal.com/ (accessed December 18, 2013); 



A. L., and Dolinsky, K. A., New Jersey’s New Social Media Privacy Law: Balancing 
Employee Rights and Employer Protections, Pepper Hamilton, September 16, 2013, 
http ://www.mondaq.com/unitcdstatcs/x/262784/employec+rights+labour+relations/ 
New+Jerseys+New+Social+Media+Privacy+Law+Balancing+Employee+Rights+And+ 

pdf_fill/sf86.pdf (accessed May 26,2010). ’ P ? & 

. Shaw, Eric D., Ruby, Keven G., and Post, Jcrrold M. The Insider Threat to Information 

Security%20Guide/Treason/Infosys.htm (accessed December 18, 2013); Kipp, Steven 
P., Espionage and the Insider, SANS Reading Room, https://www.sans.org/reading- 

For example, DOD Directive 5220.22-M, Chapter 8, Information Systems Security, 
Section 6, Protection Requirements, US Department of Defense, Washington, DC, 
February 2001. 

Moore, Andrew P., Cappelli, Dawn M., Caron, Thomas C., Shaw, Eric, and Trzeciak, 
Randall F., Insider TTicft of Intellectual Property for Business Advantage: A Preliminary 
Model, Carnegie Mellon Software Engineering Institute and CERT, appearing in the 

Purdue University, West Lafayette, IN, J^ne § 15-19, 2009. ^ 








Chapter 7 

Laws 


Introduction 

This chapter contains brief reviews of the statutes that may assist those seeking 
guidance about the legal framework that applies to Internet intelligence and inves¬ 
tigations. For the most part, federal and state laws have not contained restrictions 

information—for use by investigators until recently, beginning about 2009-2010. 
State laws regarding social networking and privacy, federal and state laws regarding 

ing, albeit much more slowly than the Internet and societal norms online. The 
summaries and views expressed here do not constitute legal opinions or advice, or 
an attempt to detail every law related to cybervetting, but are conveyed as com- 
monsense interpretations of the meaning of current laws and indications of the 

not address Internet investigations directly. Because people have differing views 
and strong opinions about their privacy rights, some of the interpretations that fol¬ 
low may be controversial. 


Constitutional Rights 

The US Constitution’s amendments 1 enshrine the following rights relevant 
Internet searching: 


83 









tion on individuals was conducted. These statutes regulate investigations to varying 
degrees, depending on the purpose, methods used, and resulting actions. Based 

which Internet search results are put, and how decisions are made based on find- 

require candidates and employees to reveal about their online activities and creden- 


Federal Statutes 

The Privacy Act of 1971, as amended.'} Controls government collection, use, and 
protection of personally identifying information and limits the extent to 
which federal agencies can disclose records: An individual must consent in 

of the statute’s exceptions. The Privacy Act does not address personal infor- 












Cybervetting 


Although the number of successful black-hat hackers may be small, their 
impact has increased because of the volume of people affected by breaches. 
The number of people involved in less-serious illicit acts online, such as copy¬ 
right violations, remains high. Because millions of people engage in unlaw¬ 
ful activities on the Internet, it is unlikely that most of them, given todays 
enforcement situation, will ever be charged with crimes. 

The Computer Security Act of1987 (Public Law 100-235)}° This act, subsequent 
statutes, and appropriations aim to strengthen the security of government 

standards to the National Institute of Standards and Technology (NIST) 
and other federal agencies, including training of federal systems users and 

The Children’s Online Privacy Protection Act (COPPA): 11 Regulates the informa¬ 
tion that can be collected about preadult Internet users by websites and other 
commercial online service providers. COPPA is an example of the concern 
that the Congress has expressed in statutes, hearings, and studies about the 
best ways to protect the privacy of all Internet users from collection of per- 

Federal Trade Commission updated its guidance for business, parents, and 
small entities in July 2013, emphasizing the goal, which is to put parents in 
charge of what is publicly available from children 13 years old or younger. 12 
Copyright (Title 17, U.S. Code) and Uruguay Round Agreements Act (implement¬ 
ing international copyright treaties)'}* Protects authors of original works that 
are fixed in a tangible form of expression, both published and unpublished, 
giving the author exclusive rights to do and authorize reproduction, distribu- 

Registration and marking of copyrighted material are not necessary for copy¬ 
right protections to apply. Infringement of copyright can be a federal civil 

and impoundment. Providing false contact information to a domain name 
registry creates a rebuttable presumption that the infringement was willful. 

profit misuse, including illicit distribution by computer networks. ISPs are 
exempt if violations are committed by network users and not the ISPs. 
Federal background screening laws'. Besides the FCRA, federal statutes control¬ 
ling background screening and related employer-employee issues include the 
National Labor Relations Act (NLRA), the Driver’s Privacy Protection Act, 
the Civil Rights Act of 1964, Title VII of the Civil Rights Act 1996 (com¬ 
monly referred to as Title VII), the Americans with Disabilities Act, the Federal 
Bankruptcy Act, the Employee Polygraph Protection Act, and the Family 
Educational Rights and Privacy Act, as well as guidelines set by the Equal 
Employment Opportunity Commission. None addresses cybervetting. The 
NLRB has brought actions against employers who have sanctioned employee 





postings related to unionizing, wages, benefits, or working conditions, which 
are considered protected under the NLRA. An emerging area of law is defin- 

that could potentially harm the enterprise s reputation are considered to limit 
employees’ right to address NLRB-regulated employer-employee relationships. 
“The National Labor Relations Act protects the rights of employees to act 
together to address conditions at work, with or without a union. This protec¬ 
tion extends to certain work-related conversations conducted on social media. 


California statute: Unauthorized Access to Computers, Computer Systems and 
Computer Data (California Penal Code Section 502-502.08)'}’* From the statute: 
It is the intent of the Legislature in enacting this section to expand 
the degree of protection afforded to individuals, businesses, and 
governmental agencies from tampering, interference, damage, 

computer systems. The Legislature finds and declares that the 
proliferation of computer technology has resulted in a concomi- 

thorized access to computers, computer systems, and computer 


le integrity of all types and forms of lawfully created comput¬ 
ers, computer systems, and computer data is vital to the protec¬ 
tion of the privacy of individuals as well as to the well-being of 

and others within this state that lawfully utilize those computers, 

California Database Protection Act (CDPA), CA Civil Code § 1798.82; Consumer 
Credit Reporting Agencies Act, CA Civil Code § 1798.16; California Investigative 
Consumer Reporting Act, CA Civil Code § 1798.83-84; U.S. Comptroller of the 
Currency guidance to national Banks, OCC Bulletin 2005-13:14 : 16 The CDPA, 
which took effect in July 2003, mandates public disclosure of computer secu¬ 
rity breaches in which confidential information may have been compromised. 
The law covers state agencies and all private enterprises doing business in 
California. Any entity that fails to disclose that a breach has occurred could 
be liable for civil damages or face class action lawsuits. Personal confidential 
information includes first and last names in conjunction with the follow¬ 
ing data: Social Security number, drivers license or California identifica- 

required security code, access code, or password that would permit access to 
an individual s financial account. The US Comptroller of the Currency issued 







Media Policy and Standards, Revised September 14, 2011 (originally published 
March 18, 2010). It treats posting policy and security, but not cybervetting. The 
purpose states, “Office of Management and Enterprise Services (OMES) ... and 
the Oklahoma Office of the Attorney General have been working as a part of a col¬ 
laborative effort involving the National Association of Attorneys General (NAAG) 
and the National Association of State Chief Information Officers (NASCIO) work¬ 
ing on Terms of Service agreements with a broad range of social media providers 

In a January 2014 update on Internet privacy statutes, the National Conference 
of State Legislatures (NCSL) stated: 19 

to keep private certain information concerning their customers, unless 
the customer gives permission to disclose the information. Both 

Minnesota also requires ISPs to get permission from subscribers before 
disclosing information about the subscribers’ online surfing habits and 
Internet sites visited. 


Minnesota Statutes §§ 325M.01 to.09 
Nevada Revised Statutes § 205.498. 





In addition, NCSL reported: 


State lawmakers introduced legislation beginning in 2012 to prevent 
employers from requesting passwords to personal Internet accounts to 
get or keep a job. Some states have similar legislation to protect students 
in public colleges and universities from having to grant access to their 
social networking accounts. ... As of April 10, 2014, legislation has 

state—Wisconsin—-so far in 2014. 


These proposed statutes appear to focus on keeping social networking user 
names and passwords private, but some go beyond and forbid employers and other 
authorities from requiring a person to display or divulge personal social networking 
profiles. 20 One example of a state statute that has gone into effect is in Nevada, where, 

suggest that an employee or a prospective employee disclose the user name, password, 

In federal and state laws, both the US Congress and the states have passed 
statutes aimed at protecting the privacy of computer and Internet users across the 
board. Many of the statutes restrict government collection and use of data without 
placing similar restrictions on the private sector. However, no law found prohibits 
the collection of publicly posted information on the Internet for a lawful purpose. 


Federal Rules of Evidence and Computer Records 

The most recent (2013) versions of the Federal Rules of Evidence, Federal Rules 
of Criminal Procedure, and Federal Rules of Civil Procedure 22 contain almost no 
references to the Internet, except mention of publication online of government 
information. The Rules of Evidence do not even contain the words Internet , cyber , 
or digital. However, they do treat “data stored in a computer or similar device” 
and state that “a reference to any kind of written material or any other medium 

tion, whether they are computerized or not. 23 They state, “For electronically stored 
information, ‘original’ means any printout—or other output readable by sight—if 
it accurately reflects the information.” 24 

To address the issues of admissibility and authenticity of evidence as viewed by 
a court of law, the Federal Rules of Evidence are considered here, rather than those 
of each state, selected foreign countries, or some other approach, all of which might 

follow the federal approach, and this area of law is evolving with the technologies 






Cybervetting 


to any entity that collects personal information in Canada or personal 
information from Canadian citizens. More sensitive information, such as patient 

id consent appears to be allowed by the 
act for appropriate, official purposes such as verification of the terms of employment. 
Existing laws that may relate to Internet searching can be summarized in a few 


■ US statutes and legal practice do not forbid the lawful use of public Internet 
postings for intelligence, investigative, and vetting purposes. 

■ In Europe, Canada, and Asia, legal privacy protections may limit the types of 
data that can be collected and used from Internet sources. 

quately, can result in legal sanctions in the United States and abroad. 

and transparency to consumers, employees, and others, allowing them to 
see the information about them, correct it if necessary, and provide consent 

their well-being. 


to Internet investigations, they shed light on the principles that should be adopted 
search policy for government and private enterprises is found in Chapter 9. 


US Legislative Proposals 

About 145 bills were introduced in the US Congress in 2013 addressing privacy 
rights in one way or another, 31 but none treated the entire agenda announced by 
President Barak Obama. Efforts continued to encourage businesses to adopt pri¬ 
vacy principles originally created in the United States but adopted in law in Europe, 

is a bill proposed by the Obama administration labeled a Consumer Privacy Bill 
of Rights, 32 saying American Internet users should have the right to control per¬ 
sonal information about themselves collected online, to prevent data collected for 
one purpose being used for an unrelated purpose, to ensure information is held 
securely, and to know who is accountable for use or misuse of their personal infor- 

of discussion (e.g., strengthening security of data protection), this proposal was not 
introduced as a separate bill and is not viewed as likely to be enacted into law. 





Notes 


2. For the Privacy Act, see http://www.usdoj.gov/oip/foia_updates/Vol_XVII_4/page2. 

3. Freedom of Information Act, http://www.justice.gov/oip/foia_updatcs/Vol_XVII_4/ 

4. HIPAA, https://www.cms.gov/HIPAAGenInfo/Downloads/HIPAALaw.pdf (accessed 
August 10, 2010). Gramm-Leach- Bliley Act of 1999, http://banking.senate.gov/conf/ 

news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf (accessed August 10, 

5. USA Patriot Act, Public Law 107-56, 2001, http://thomas.loc.gov/cgi-bin/bdquery/ 
z?dl07:HR03l62:%5D (accessed August 10, 2010). 

6. Fair Credit Reporting Act (FCRA), Public Law 91-508, Title VI, § 601, http://www. 
ftc.gov/os/statutes/031224fcra.pdf (accessed August 10, 2010). 

7. Electronic Communications Privacy Act of 1986, http://www.it.ojp.gov/default.aspx? 

8. Federal Information Security Management Act (FISMA) of 2002, http://thomas.loc. 
gov/cgi-bin/bdquery/z?dl 07:h.r.03844: (accessed August 10, 2010). 

9. Computer Fraud and Abuse Act, Title 18, Part I, Chapter 47, § 1030, http://www. 
justice.gov/criminal/cybercrime/1030NEW.htm (accessed August 10, 2010). 

10. Computer Security Act of 1987, Public Law 100-235, http://www.nist.gov/cfo/ 
lcgislation/Public%20Law%20100-235.pdf (accessed August 10, 2010). 

11. Children’s Online Privacy Protection Act (COPPA), http://www.ftc.gov/ogc/coppal. 

12. http://www.busincss.ftc.gov/documcnts/Complying-with-COPPA-Frequently-Asked- 
Questions#General%20Questions (accessed November 29, 2013). 

circ01.pdf, http://www.copyright.gov/titlel7/92chap5.pdf (accessed August 10, 2010). 

14. The NLRB and Social Media, http://www.nlrb.gov/news-outreach/fact-sheets/nlrb- 

15. California Penal Code, Section 502-502.08, http://www.calpcrs.ca.gov/eip-docs/ 
utilities/conditions/502-ca-penal-code.pdf (accessed August 10, 2010). 

16. California Database Protection Act (CDPA), CA Civil Code § 1798.82, http://www. 
cybersure.com/documents/seminar/database_protection.pdf and http://www.ffiec. 
gov/ffiecinfobase/rcsources/info_sec/2006/occ-bul_2005-13.pdf (accessed August 10, 
2010). California Consumer CreditReporting Agencies Act, CA Civil Code § 1798.16, 

December 19,2013). ^ P y P ( 

18. Sec http://www.ok.gov/cio/Policy_and_Standards/Social_Mcdia/ (accessed April 27, 










96 ■ Cybervetting 


uscourts.gov/ uscourts/RulesAndPolicies/'rules/2010%20Rules/Criminal%20Proc 

Regardless of Whether the Declarant Is Available as a Witness (6), http:/, 

Federal Rules of Evidence, Article X. Contents of Writings, Recordings 
Photographs, Rule 1001. Definitions That Apply to This Article, http://www.usc 


n, 49(2), 21 


’USA 




of Justice, Searching and Seizing Computers and Obtaining Electronic Evidence in 
~ " tions (Manual), July 2002, Appendix F updated December 2006, 

rimc.gov/s&smanual2002.html (accessed August 10, 2010). 
idd.uscourts.gov/news/news/ESIProtocol.pdf (accessed April 27, 




n Convention on Cyberc 


European Union Data Prot, 




January 17, 2014). 

c. 5), http://laws.justice.gc.ca/eng/acts/P-8.6/ (accessed Jan 
The White House, Washington, DC, Fact Sheet: Plan to Prc 
)ffice/2012/02/23/fact-shect-plan-protect-priva 







Chapter 8 

Litigation 


Introduction 

decisions or to argue the privacy issues of cyberspace. It provides no legal advice 
or analysis but rather describes selected litigation and related information deemed 

entities in law terms. Relatively few court decisions were found that directly con¬ 
cern Internet searching, and few legal reviews of employment disputes, and other 
sensitive issues, such as privacy, along with cases for which admissibility of elec¬ 
tronic evidence issues were adjudicated. Therefore, topical reviews were conducted 
of decisions that could be used as precedents in a case where an Internet search 
led to a lawsuit or was used as guidance to professionals seeking to understand 
the proper way to conduct cybervetting. Commentary is included in an effort to 
explain potential relevance to this issue. 


Internet Search Litigation 

A few cases involving claims relating to an employer conducting Internet searching 
on an employee or applicant were found. In one case, the US Court of Appeals for 

edential basis. 1 The employee claimed that “his guaranteed right to fundamental 
fairness was seriously violated” when his supervisor used Google to search his name 

a position by the Air Force. However, the court found that the employee himself 
told his supervisor that he had been subject to employment proceedings before, 

97 









■ Cybervetting 



Hi 











Litigation ■ 99 



It is safe to say that there will be plenty of litigation exploring the limits of pri- 
have no current, legal privacy protections, and courts have consistently held so. 


Anonymity 

In 1958, the Supreme Court held Alabama’s demand for the identities of all mem¬ 
bers and agents of the NAACP (National Association for the Advancement of 

speech and association, exercise of which would be impaired by disclosure. The 
court held that forcing the NAACP to disclose its membership lists was “likely 
to affect adversely the ability of [the NAACP] to pursue their collective effort to 

Comment-. Anonymity enables a wide range of public activities on the Internet, 

tify individuals attempting anonymity whose postings include clues to their identity. 


In Griffin v. State of Maryland, the Maryland Special Court of Appeals upheld 
the murder conviction of Griffin, approving a Cecil County Court judge’s ruling 
allowing introduction of the MySpace page of Griffin’s girlfriend to corroborate 












100 ■ Cybervetting 


evidence because of compelling circumstantial evidence, including the use of the 

tion of the MySpace page. A Maryland State poli 
outside the jury’s hearing, prior to the judge’s al 


Expectation of Privacy 

In 1967, the Supreme Court established the principle that individual privacy pro¬ 
tection (rather than property protection) extends the Fourth Amendment shield to 

in a public area. The court used a two-part test to determine when an individual 

individual’s subjective expectation of privacy and whether that expectation of pri¬ 
vacy was reasonable (an objective test). 10 One year later, in 1968, Title III of the 
Omnibus Crime Control and Safe Streets Act was passed, requiring law enforce¬ 
ment to seek a warrant for electronic surveillance. 11 Subsequent lower federal court 
decisions have found, under more recent laws, including those recounted previ¬ 
ously, that a reasonable expectation of privacy has a variety of nuances, depending 
on the type of communication and the situation. 









Litigation 


101 


Comment : Courts have ruled unanimously that publicly posted information 
appears next. 














Litigation ■ 103 


could constitute violations of the federal Wiretap Act, 18 USC §§ 2510-2520, 
and the Stored Communications Act, 18 USC §§ 2701-2710. Airline executives 

to affirm that they would abide by the site’s confidentiality policy—violating that 
policy against unauthorized access. Hawaiian later placed the pilot on medical 



Due Process 







104 ■ Cybervetting 









lack of detailed evidentiary standards for authenticating content, courts have over¬ 
looked the possibilities of hacking, falsification of content, inadequate protections 

involved. 25 In reality, authentication of online information as evidence will need to 


rely on more rigorous standards than mere circumstantial indicators of authentic¬ 
ity. For example, a posting on a website that apparently belongs to an individual 
may not actually be made by that individual, but by anyone else with authorized or 
unauthorized access to the profile. Additional forensic evidence, such as an analysis 
of the computer used by a computer forensic examiner, or an admission of author¬ 
ship may be needed to verify authorship and the authenticity of online evidence. In 


such cases as employee or candidate vetting, prior to an adverse action, an employer 


seems before a final judgment. Online findings are generally intelligence or lead 
information first and should only be considered definitive after verification through 
the best-possible means available, including (in the case of a social network profile) 
account ownership, security, and authorship of a specific post. Otherwise, an indi- 
viduals due process rights may be violated. 


Libel/Defamation 




















Sanctions for Public Postings 











108 ■ Cybervetting 


suit demanding monetary damages. A photograph of Snyder with a pirate hat 
holding a beverage with the caption “drunken pirate” appeared on her MySpace 
page, on which she also included material regarding her student teaching assign¬ 
ment and otherwise violated university policies. The court found that Millersville 




Internet Privacy for the Twenty-First Century 

Robert Sprague, an assistant professor at the University of Wyoming’s College of 
Business, contributed an excellent review of the law and the evolution of privacy 
protection in America in the Hofstra Labor and Employment Law Journal. 55 Among 










■ Cybervetting 










Litigation 


Admissibility of Electronically Generated 
and Stored Evidence 

Todd Shipley, an expert in Internet and computer forensic investigations, has writ- 
cally stored information (ESI), and (in part) noted: 


Co. [see following discussion]. In that case, the magistrate denied the 

properly admitted. Of particular note is his discussion of ESI authen¬ 
tication including the use of hashing (digital fingerprints), ESI meta- 

more than any other existing case, outlines clear guidance for the 
admission of electronic evidence in a federal civil case. Thus, it can be 
considered a partial road map for development of a standard meth¬ 
odology for Internet forensics and its successful admission in court. 




112 ■ Cybervetting 


The memorandum contains a list of cases in which admissibility of electronic evi¬ 
dence was an issue and the court decisions considered precedents or instructive on 
the issues involved. 


Trends and Legal Challenges to Investigative Searching 


In a Federal Register notice, the US Department of Homeland Security (DHS) 

government agencies. The Electronic Privacy Information Center (EPIC) filed a 

lar Internet collection. 


sites, and from ISPs and telecommunications firms providing services. It w 




Although this chapter addressed the legal issues directly and tangentially related 
to cybervetting and Internet investigations, its main intent was to help establish a 
framework for principles that can be applied to the policies and practices needed to 


Notes 

1. Mullins v. Department of Commerce, U.S. Court of Appeals for the Federal Circuit, 






Litigation 


113 


2. Sinrod, Eric, Office of Duane Morris LLP, San Francisco, http://technology.findlaw. 
com/articlcs/00006/01085l.html (accessed August 10, 2010); Sinrod, Eric J., From 
Googling to Firing? CNETNews.com, May 30, 2007, http:// wAvw.duanemorris.com/ 
articles/article2527.html (accessed August 10, 2010). 

3. Pietrylo et al. v. Hillstone Restaurant Group , Docket No. 2:06-cv-05754 (D.N.J. 
2008), US District Court for New Jersey, Civil Case No. 06-5754 (FSH), July 24, 

4. Searcey, Dionne, Employers Watching Employees Online Stirs Policy Debate, Wall 
StreetJournal, April 23,2009, http://online.wsj.com/articlc/SBl24045009224646091. 

over Their MySpace Post, http://3lepiphany.typepad.com/ (accessed August 10, 2010), 
http://wAvw.lawycrsandsettlements.com/scttlcments/13572/intcrnet-privacy-laws- 
myspace-forums-forum.html#.Ut7fB_8o7lU (accessed January 21, 2014). 

5. Pettry, Michael T, supervisory special agent, FBI, presentation to International 
Association of Chiefs of Police, Legal Officers’ Section, September 29, 2012; http:// 

riddled-with-bullet-holcs (accessed January 19, 2014). 

6. Ibid, case cited in presentation in Note 5. 

7. NAACP v. Alabama ex reL Patterson , 357 U.S. 449 (1958), http://caselaw.lp.findlaw. 
com/scripts/getcase.pl?court=US&vol=357&invol=449 (accessed August 10, 2010). 

8. Griffin v. State of Maryland, Case No. 1132, Lash, Steve, Baltimore Daily Record, 
May 31, 2010, http://findarticles.eom/p/articles/mi_qn4l83/is_20100531/ 
ai_n53902808/, http://mdcourts.gov/opinions/cosa/2010/1132s08.pdf (accessed 
September 2, 2010). 

9. http://conservancy.umn.edu/bitstream/147600/1 /Authentication-of-Social- 
Networking-Evidence-by-Ira-Robbins-MN-Journal-of-Law-Science-Tech-Issue-13-1. 
pdf, p. 27 (accessed January 22, 2014). 

10. Katz v. United States, 389 U.S. 347 (1967), http://caselaw.lp.findlaw.com/scripts/ 
getcase.pl?court=US&vol=389&invol=347 (accessed August 10, 2010). 

11. Omnibus Crime Control and Safe Streets Act of 1968, http://AVAVw.justice.gov/crt/ 

12. Whalen v. Roe, 429 U.S. 589 (1977), http://casclaw.lp.findlaw.com/scripts/getcasc. 
pl?navby=search&court=US&case=/us/429/589.html (accessed August 10, 2010). 

13. Smith v. Maryland, 442 U.S. 735 (1979), http://caselaw.lp.findlaw.com/scripts/getcase. 
pl?navby=search&court=US&case=/us/442/735.html (accessed August 10, 2010). 

14. Madden, Mary, ct al.. Teens, Social Media, and Privacy, Pew Internet and American 
Life, May 2013, http://AVAvw.pcwinternet.org/Reports/2013/Teens-Social-Media-And- 
Privacy/Main-Rcport/Part-2.aspx (accessed January 21, 2014). 

15. United States v. Maxwell, 45 M.J. 406 (1996), http://webcache.googleusercontent. 
com/search?q=cache:http://www.armfor.uscourts.gov/opinions/1996Term/95_075l. 

16. United States v. CharboLeau, 979 F. Supp. 1177 (S.D. Ohio 1997), http://www. 

17. Davis V. Gracey, http://scholar.google.com/scholar_casePcasesl6037774558711975401 









114 ■ Cybervetting 


18. United States v. Ziegler, 474 F.3d 1184 (9th Cir., 2007); see the following paper for 
reviews of similar actions: http://www.howardrice.com/uploacls/content/Civil%20 
Actions%20For%20Privacy%20Violations%202007%20-%20Where%20 
Are%20We.pdf (accessed August 10, 2010). 

19. Konop v. Hawaiian Airlines, No. 99-55106, D.C. No. CV-96-04898-SJL (JGx), 2002, 
http://www.internetlibrary.com/pdf/Konop-Hawaiian-Airlines-9th-Cir-Jan-8-01.pdf 
(accessed September 4, 2010). 

20. Frommer, Dan, Montana Town Demands Job Applicants’ Facebook Passwords, Business 

job-applicants-facebook-pass-words-2009-6 (accessed September 4, 2010); Weinstein, 
Natalie, Bozeman to Job Seekers: We Won’t Seek Passwords, CNET, June 20, 2010, 
http://news.cnet.com/8301-13578_3-10269770-38.html (accessed September 4, 

to; 7 Facebook, Google, Yahoo, YouTubc.com, MySpacc, etc.” but not for passwords. 
http://privacy.org/Background_Check_Form_Interview_MASTER.pdf (accessed 
September 4, 2010). 

21. http://www.iacpsocialmcdia.Org/Portals/l/documents/CybervettingReport.pdf 
(accessed January 20, 2014). The author co-authored this study. 

22. McVeigh v. Cohen, 983 F.Supp. 215 (D.D.C. 1998), http://www.netlitigation.com/ 
netlitigation/cases/mcveigh.htm (accessed August 10, 2010). 

23. Raytheon Company v. John Does 1-21, Commonwealth of Massachusetts, Middlesex 

24. Price v. ^Corzine, 2006 WL 2252208 (D.N.J. 20^6) and 2007 WL 708879 (D.N.J.). 

25. Robbins, Ira P., Writings on the Wall: The Need for an Authorship-Centric Approach 
to the Authentication of Social-Networking Evidence, Minnesota Journal of Law, 
Science & Technology, Winter 2013, http://conservancy.umn.cdu/bitstream/l47600/l/ 
Authentication-of-Social-Networking-Evidence-by-Ira-Robbins-MN-Journal-of-Law- 
Sciencc-Tech-Issue-13-l.pdf (accessed January 22, 2014). 

IS. John Doe v. 2TheMart.com, USDC C01-453Z, April 26, 2001, http://cyber.law. 

27. Section 230 of 47 US Code, http://codes.lp.Zidlaw.eom/uscodc/47/5/II/I/230 
(accessed August 10, 2010); Communications Decency Act of 1996, http://www.fcc. 
gov/Reports/tcom 1996.txt (accessed August 10, 2010). 

28. Endicott Interconnect Technologies v. NLRB, US District Court of Appeals, No. 
05-1371 and 1381, decided July 14, 2006, http://openjurist.org/453/f3d/532/ 

September 4, 2010). 

29. Belgum, Karl G., Who Leads at Half-time? Three Conflicting Visions of Internet 
Privacy Policy, 6 Rich. J.L. & Tech. 1 (Symposium 1999), http://www.richmond. 
edu/jolt/v6il/belgum.html, found at http://cybcr.law.harvard.edu/privacy/ 
WhoLeadsatHalftime(Belgum).htm (accessed August 10, 2010). 

30. Sprague, Robert, Rethinking Information Privacy in an Age of Online Transparency, 
Hofstra Labor and Employment Law Journal, 25: 395, 2009, law.hofstra.edu/pdf/ 
Academics/Journals/LaborAndEmploymentLawJournal/labor_vol25no2_Sprague. 




Litigation 


115 


pdf (accessed March 29, 2010). Excerpts: “Certainly no one can complain when pub- 

and therefore, no recourse, when that publicly-available information is viewed, and 

^Dexter, No. 2006-P-0051, 2007 WL 1532084, at *6 & n.4 (Ohio Ct. App. May 25, 

an expectation of privacy regarding these writings.”); Sanchez Abril, Patricia, A (My) 
Space of Ones Own: On Privacy and Online Social Networks, Northwestern Journal 
of Technology & Intellectual Property, 73: 78 (2007) (“Categorically, everyone would 

CNN Moncy.com, February 15 & 2005, http://mTney.cnn.com/2005/02/l4/news/ 
economy/blogging (citing four cases of employees being fired for what they had posted 

fired at any point for any or no reason at all without any recourse and are there¬ 
for Blogging, CNET News.com, December 16, 2004, http://www.news.com/2102- 
1030_3-5490836.html?tag=st.util.print (“The official reason for my suspension [and 

an intimidating interrogation): blogging”). 

31. Oja v. United States Army Corps of Engineers, 440 F.3d 1122 (9th Cir. 2006), Privacy 

circuit/ 1237864.html (accessed January 21, 2014). 

32. Stacy Snyder v. Millersville University etal., U.S. District Court for the Eastern District 
of Pennsylvania, Case No. 07-1660, decided December 3, 2008. 

33. Dwyer, Jim, The Officer Who Posted Too Much on MySpace, New York Times, 
March 11, 2009, http://www.nytimes.eom/2009/03/l l/nyregion/llabout.html?_r= 
1 &pagewanted=print (accessed September 4, 2010). 

34. Cromer v. Lexington-Fayette Urban Co. Govt., #20088-CA-000698, 2009 Ky. 
App. Unpub. Lexis 71, http://www.aclc.org/law/Digcsts/empl71.html (accessed 
September 4, 2010). 

35. See Note 30. 

36. Jesdanun, Anick, Using a Fake Name on the Internet Could Be Illegal, AP, May 
2008, http://www.newsfactor.com/story.xhtmlPstory_kUl 1100A799HN3&page=l 
(accessed November 2009). 

37. Steinhauer, Jennifer, Verdict in MySpace Suicide Case, New York Times, November 26, 
2008, http://www.nytimes.com/2008/ll/27/us/27myspace.html (accessed April 20, 

38. Based on review of MySpace, Classmates, Facebook, YouTube, Yahoo, Monster.com, 










Chapter 9 


International and 
Domestic Principles 


US and International Privacy Principles 

over the past two decades, have resulted in generally recognized privacy principles 
originally incorporated in US statutes in the 1970s. For purposes of this text, the 
core principles first published in 1981 by the US Department of Commerce, 1 as 

Center for Democracy and Technology, deserve mention. 2 Based on considerable 

test of time and litigation. It should be noted that US laws generally lack the privacy 
rights set out in Canadian, European, and Asian laws. 'Therefore, the principles 
represent useful guidelines for the proper collection and use of personally identify¬ 
ing information, including Internet information, about individuals. The principles 
are as follows: 

1. Notice to individuals when personally identifiable information is col¬ 
lected (awareness) 

2. Limits on use and disclosure of data for purposes other than those for which 
the data were collected (choice) 

3. Limitations on the retention of data 

4. Requirements to ensure the accuracy, completeness, and timeliness of information 


117 






118 ■ Cybervetting 


6. The opportunity to correct information or challenge decisions made, based 
on incorrect data (recourse) 

7. Appropriate security measures to protect the information against abuse or 
unauthorized disclosure (data security) 


personally identifiable information (enforcement, verification, and consequences) 


A Consumer Privacy Bill of Rights drafted and announced in 2013 by the White 

incorporating the principles outlined into US statutes. The US Government (USG) 
has established presidentially approved Adjudicative Guidelines for Determining 
Eligibility for Access to Classified Information (latest edition 2006, 32 CFR Part 
147), 4 which have existed in substantially the same form since President William 
Clinton signed them into effect in an executive order (EO) in August 1995. 
Currently, federal practices include notice, consent, verification, appeal, correction, 
and confidentiality, which directly conform to the privacy principles cited. In over 
45 years of involvement at various levels, from conducting background investiga- 

National Security Council, I have observed a passionate dedication—in profes- 

work—to the rule of law, fair play, and the privacy principles listed. Because the 
adjudicative guidelines contain both behaviors of concern and mitigating factors to 

they represent well-established benchmarks for any employer with a need to protect 
valuable intellectual property in the workplace or ensure the trustworthiness of 










International and Domestic Principles ■ 


hosted on the employer s computers and handheld devices. Because many employ¬ 
ers issue mobile phones and tablets with which they can contact the employee using 
instant messaging, e-mail, or paging, obvious issues of employees’ sensitive personal 
data storage arise. When employees use their own cell phones and handhelds to 

place, the data of the employer and employee may again be mixed. Hie “bring your 
own device” (BYOD) security issue is currently a hot topic for IT administrators 
and security staff. Having clear understandings between the employer and employ¬ 
ees about the limits of privacy and security for any information, communications, 
or Internet uses involving the enterprise’s computers, network, information, or data 

Hie principle of notice and consent is also often applied to contractual agree¬ 
ments not to compete against an employer (during employment and often for a 
fixed period of time after leaving) and not to breach the confidentiality of propri¬ 
etary information without the employers prior consent. If an employee has cop¬ 
ies of an employers data, such as customer lists, on a portable computing device, 
the security of that data can be compromised both during and after employment. 
Anecdotal evidence, including lawsuits by enterprises to prevent ex-employees’ use 
of data collected on the job, suggests that this problem is increasing. If a candidate 
is in the habit of collecting, storing, using, and sharing files that belong to others 
(e.g., videos, music, and software obtained without a paid license), then the pro¬ 
spective employer would see in advance that the individual should be made aware 
of, and agree to, the employer’s standards for protection and use of proprietary data 
before being given unfettered access on the job. Further, just as employees have a 
right to expect the employer to protect personally identifying information (e.g., 
bank account data) residing on the employer’s systems, so the employer has a right 
to expect the employees to abide by data use restrictions in the workplace. 

An effective way to inform enterprise users and document terms of access to 
information systems is the notice or reminder posted on computer log-on screens, 
including the US Department of Defense’s banners, such as: 

You are accessing a US Government (USG) information system (IS) 
that is provided for USG-authorized use only. By using this IS, you 
consent to the following conditions: 


■ Hie USG routinely monitors communications occurring on this IS, 

■ At any time, the USG may inspect and/or seize data stored on 
this IS and any device attached to this IS. 





122 ■ Cybervetting 


■ Communications occurring on or data stored on this IS, or any 
device attached to this IS, are not private. They are subject to 

■ Any communications occurring on or data stored on this IS, or 
any device attached to this IS, may be disclosed or used for any 
USG-authorized purpose. 

■ Security protections may be utilized on this IS to protect certain 
interests that are important to the USG. For example, passwords, 

security for the benefit of the USG. These protections are not 
provided for your benefit or privacy and may be modified or elim¬ 
inated at the USG s discretion. 7 


This log-on message clearly is USG centric, but any employer can craft an 
appropriate warning to users about the rules of systems to which they are granted 

orientation, training, and on-screen notices like the one presented), there is a rea- 

are clearly in the wrong—again, witness Edward Snowden and Robert Hanssen. 
Litigation concerning digital forensic evidence taken from computer systems 

upholds the employer’s ownership of the systems, networks, and data and the rights 
of monitoring of and collection from those systems for any lawful purpose. Courts 

computer systems provided for employees’ use. Claims centered on the employ¬ 
ees’ privacy rights, on reasonable expectation of privacy in the workplace, and on 
personal use of employers’ systems have favored the employer and the government 

who have established policies regulating how employees are to use work systems 
and who have notified employees that their use of employers’ systems constitutes 
consent to monitoring for security and compliance purposes. In some cases, this 
has included employees’ Internet use. A possible exception might be an employ¬ 
ee’s use of a personal (nonwork) e-mail system for private communications with 
an attorney. 8 


Government Standards 

The USG has long-established standards for personnel security, based on presiden- 
standards on classified information includes such documents as EOs on access to 
to classified information, personnel and information systems’ security policies and 









International and Domestic Principles 


A search for explicit authority for the government to use open-source intel¬ 
ligence (including Internet vetting) when investigating candidates for access to 
classified information turned up little of value. Executive Order 12333, United 
States Intelligence Activities (December 4, 1981, as amended August 27, 2004), 
does authorize collection of “information that is publicly available or collected 
with the consent of the person concerned.” This is an exemption from prohibi¬ 
tions against the US intelligence community targeting of US persons (citizens and 
permanent resident aliens). The Federal Bureau of Investigation (FBI), other law 

to collect information concerning any person suspected of a crime or who applies 
for employment or access to classified information. The reason why this standard 
has relevance is that modern norms of intelligence collection and background 
investigation include legally permissible Internet searching. Even the American Bar 
Association recommends Internet searching, noting that it can reduce the cost and 
improve the speed and results of legal research. 14 


Parallel Guidance: Internet Research Ethics 

When considering guidance for new types of activities, it is important to consider 
how ethics are applied in different but parallel endeavors. During the past 20 years, 
the behaviors of individuals and groups online have become subjects of study by 
sociologists, linguists, anthropologists, psychologists, and a host of other research¬ 
ers. Fascination with virtual worlds, new types of communication, and networks 
of people distributed across the globe, but connected by the power of the Internet, 
has attracted the attention of both serious and casual students of human behavior. 
Communities online have developed modes of existence and interaction all their 

approaches to their work. Based on published materials, these ethical approaches 
shed light on the issues, strong beliefs, and alternative approaches that should be 
considered by intelligence practitioners on the Internet. These ethical norms are 
covered in Chapter 10. 








126 ■ Cybervetting 


3. The White House, Washington, DC, Fact Sheet: Plan to Protect Privacy in the Internet 
Age by Adopting a Consumer Privacy Bill of Rights, http://www.whitehouse.gov/ 
the-press-office/2012/02/23/fact-sheet-plan-protect-privacy-internet-age-adopting- 

4. Adjudicative Guidelines for Eligibility for Access to Classified Information Summary, 
http://www.state.gov/rn/ds/clearances/60321.htm (accessed August 10, 2010). 

5. Based on tens of thousands of Internet searches conducted by my firm. 

Use of Information Technology Systems, http://www.opm.gov/forms/pdf_fill/sf86.pdf 
(accessed August 10, 2010). 

8. Westmoreland, Jill, Minimizing Employer Liability for Employee Internet Use, Los 
Angeles Business Journal, July 31, 2000, http://www.thefreelibrary.com/Minimizing 
+Employer+Liability+for+Employee+Internet+Use-a063986324 (accessed August 10, 

9. Dinan, Stephen, Rules that Bar Feds from Trolling Faccbook, Twitter Could Have Weeded 

com/news/20l4/mar/l6/ (accessed March 18, 2014). ? ? & 

10. Report to the President, Suitability and Security Processes Review, February 2014, The 
White House, Washington, DC, http://www.whitchouse.gov/sitcs/dcfeult/filcs/omb/ 

11. Dinan, Rules (Note 9). ^ P P P 

13. Hurwicz, Macy, Barack Obama Staff to Have Email and Faccbook Vetted, Telegraph, 
November 13, 2008, sec http://www.tclcgraph.co.uk/ news/3453916/Barack-Obama- 


14. Bliss, Lisa R., Using the Internet to Save on Legal Research Costs, American Bar 







Chapter 10 

Professional Standards 
and the Internet 


Ethical and behavioral standards are created to carry out la\ 

professional endeavors. One problem with using relatively 
eligibility, capability, and past behavior is that the law is i 
the ethical standards and guidelines that normally follow t 


interest groups, and massively multiplayer online role-playing games (MMORPGs) 

rules” in access, privacy, and use; and a challenge for those seeking to impose a 

As difficult as it seems for lawyers and ethicists to address guidance (not really 
surprising because their focus is steeped in traditional authority, from times long 

to be consulted for the guidance necessary. If we wait for the lawyers, how much 


127 






128 ■ Cybervetting 


use and privacy policies of the websites themselves provide a starting point and are 
only now being used to enforce requirements for users, over 21 years after the explo¬ 
sion of the use of the Internet. At this time, it is especially important to understand 
the medium and adopt a practical policy for addressing the legal and ethical issues 
without waiting for uninitiated legalists to reach final conclusions. After all, they 
are bound to go to court to litigate unresolved issues (or raise new issues about 
resolutions found). We should start with the standards that exist. 


ASIS Standards 







appropriate ways to deal with what employers are finding online (i.e., clearly inap¬ 
propriate behaviors disqualifying to candidates) and the unanswered question of 

The ASIS guideline expresses concern about the possible risk to someone’s pri¬ 
vacy if an employer accesses material that “a person did not intend for an employer 

intent about access to and use of publicly available information supersedes an 
employer’s right to view it and take it into consideration. Public Internet postings 
are not protected in law, and a right to privacy is not ascribed to someone’s publicly 
visible, illegal, illicit, or offensive behavior. An employer might find it difficult to 
defend the hiring of someone whose Internet profile notoriously featured illegal, 
illicit, or offensive behavior. The guideline fails to weigh the possibility that an 
arrogant or ignorant person boldly can post evidence of his or her ineligibility— 
and the employer should consider it. Employers include government, law enforce- 

of scrutiny. Unfortunately, I have seen numerous instances in the past 4 years of 
illegal, illicit, and antisocial behaviors posted on the public Internet for anyone to 










ancc process, just as they must with any other source of potentially derogatory data. 
Critical information may be missed without Internet searching. Through cybervet¬ 
ting employing proper procedures, the employer will reap the reward of identifying 
prior behavior that needs to be addressed, whether the candidate is hired, cleared, 

studies, 9% to 31.5% of subjects of cybervetting will have potentially derogatory 
findings, while most results will reflect positively on, or be neutral to, a candidacy. 


National Association of Professional 
Background Screeners 

in 2003 as a nonprofit trade association, represents the interest of companies offering 

practices and compliance with the FCRA and fosters awareness of issues related to 
consumer protection and privacy rights within the background screening indus- 

an accreditation process. The following standards from the NAPBS Member and 
Accredited Agency Codes of Conduct call for individual members and agencies to 5 

1. Perform professional duties in accordance with the law and the highest moral 
principles and the BSAAP (Background Screening Agency Accreditation 
Program) Accreditation Standard. 

2. Observe the precepts of truthfulness, honesty, and integrity. 



■ Cybervetting 


4. Be competent in discharging professional responsibilities. 

5. Safeguard confidential information and exercise due care to prevent its 
improper disclosure. 

6. Avoid injuring the professional reputation or practice of colleagues, clients, 
or employers. 

However, nothing in this code limits a member from engaging in fair, competitive 
business practices. 

The NAPBS approach depends on the FCRA standards, 6 which are worth a 
second look: 


The FCRA says that a consumer has the right to be told if information in a con- 


Association of Internet Researchers 

of observing human behaviors online, for many purposes, most often sociological, 
psychological, or behavioral studies of human interactions online or of works of art. 
In this arena, a host of ethical questions arises as researchers interact with individu¬ 
als in “virtual worlds,” social networking sites, blogs, and Internet Relay Chat sites 
and encounter new types of content (e.g., videos, graphics, photographs) and the 
like. Questions of disclosure, informed consent, identifying and quoting without 
permission, and so on have been addressed in rich AoIR discussions from the varied 
perspectives of the social sciences, the humanities, ethical and legal scholars, and 
Internet users over the past few years. In confronting national and international 
laws, ethics, and definitions of privacy, autonomy, and netizens’ expectations, AoIR 

developed standards titled Ethical Decision-Making and Internet Research (2002, 

are admittedly fluid and hard to define, particularly in an international context. 7 
Among the salient guidelines are the following: 

■ An “ethical pluralism” approach (recognition of different ethical frameworks). 

■ An Aristotle-like attempt “to discern what [doing] the right thing at the right 
time for the right reason and in the right way may be,” through a combina¬ 
tion of judgment and the rules that apply in an individual situation. 











138 ■ Cybervetting 


Bottom Line 

It is more important to have defensible standards about Internet searching for infor¬ 
mation collection and intelligence purposes than to count on the specific stan¬ 
dards themselves, especially because the legal underpinnings are fluid. The lack 
of definitive legal rules has resulted in perhaps less Internet vetting than should 
be done. Uncertainty can be the enemy of sound ethical approaches. Anecdotal 

are using the Internet in vetting candidates; looking up fellow employees, superiors, 
and business associates; and otherwise using web information as a key part of their 

of an enterprise without any rules or policies, the possible use of Internet search 
results in illicit or inappropriate ways, and the mistaken use of incomplete, inac¬ 
curate, unreliable, and false data. 

The proposed standards in Section III include many of the elements that are 
informed by the extant legal and ethical approaches provided for guidance to disci¬ 
plines both inside and outside intelligence and investigations. 


Sites, http://www.careerbuilder.com/Articlc/CB-1337-Getting-Hircd-More-Employcrs- 
Scrccning-Candidates-via-Social-Nctworking-Sites/?ArticlcID=1337&cbRecursionCnt= 
l&cbsid=ed3b3595c5334cb0b74dab54657de7a4-334768959-RS-4&ns_siteid=ns_ 

3. HircRight, The Evolving Practice of Social Media Background Screening, http:// 
www.hireright.com/blog/2013/05/ the-evolving-practicc-of-social-mcdia-background- 

4. Lorenz, Mary, Two in Five Employers Use Social Media to Screen Candidates, 

com/2013/07/01 /two-in-five-employers-use-social-media-to-scrcen-candidates/ 
(accessed April 23, 2014). 

5. NAPBS, http://www.napbs.com/media/Factsheet.pdf, http://www.napbs.com/ 
bcnefits/code_of_conduct.cfm, and http://www.napbs.com/benefits/BSAA_Codc_of_ 
Conduct.pdf effective as of 2009 (accessed March 30, 2014). 

March 30, 2014). 

7. AoIR Ethics Working Committee, Ethical Decision-Making and Internet Research: 
2002, by the Association of Internet Researchers (AoIR), an international association 







Professional Standards and the Internet 


McKcc § Heidi A., and ^Porter, James E., Playing a Good Game: Ethical Issues in 
Researching MMOGs and Virtual Worlds, International Journal of Internet Research 

2010); McKcc, Heidi and Porter, James E~ The Ethteof Digital Writing Research: 


A Rhetorical Approach, CCC, 59.4, 2008; McKee, Heidi A., and Porter, James E., 
The Ethics of Internet Research, a Rhetorical Case-Based Process (New York: Peter Lang, 


Title 18, US Code, Part I, Chapter 1, Section 4, Misprision of a Felony, http://www. 
August 10, 2010) and similar state statutes. 

Kenneally, Erin, Bailey, Michael, and Maughan, Douglas, A Framework for 

Department of Homeland Security Working Group on Ethics, 2010, http://www. 
caida.org/publicatio ns/papers/2010/framewo rk_ethical_research/firamewo rk_ethical_ 
research.pdf (accessed August 10, 2010). 

Century, An Introduction, 2nd edition (New York: Ncal-Schuman, 2009), which con- 

Bascd on my over 15 years of collection and analysis of Internet data. 

The 30% estimate for those with a prolific presence online is derived from statistics 
published by the Pew Internet and American Life Project, http://www.pewinternet. 

rn ■ i gh was j i h m l rv a r / 

2013/04/25/thrcc-stcps-toward-managing-reputational-risk/ (accessed March 30, 2014). 





Chapter 11 

The Insider Threat 






The Insider Threat 


Notes 

1. Hcrbig, Katherine L., and Wiskoff, Martin F., Espionage against the United States by 
American Citizens 1947-2001, Technical Report 02-5, Defense Personnel Security 
Research Center (PERSEREC), July 2002, http://www.fas.org/sgp/library/spics.pdf 
(accessed March 30, 2014); Mitre Report (numerous authors), Analysis and Detection 
of Malicious Insiders, submitted to 2005 International Conference on Intelligence 
Analysis, McLean, VA; Shaw, Eric, Ruby, Kcvcn G., and Post, Jcrrold M., The Insider 

Illicit Cyber Activity in the Banking and Finance Sector^ National Threat Assessment 
Center, US Secret Service and CERT Coordination Center, Carnegie Mellon 
University Software Engineering Institute, August 2004; Sulick, Michael J., American 
Spies: Espionage against the United States from the Cold War to the Present (Washington, 

georgetown/american-spies (accessed March 30, 2014). 

2. Symantec and IDC, Worldwide Mobile Worker Population 2007-2011 Forecast, 
Symantec White Paper, March 2008; King, Rachael, Departing Employees Are 
Security Horror: Many Think Nothing of Taking Confidential Company Information 
With Them When They Leave, Wall Street Journal, October 21, 2013. 

3. InfoLink Screening Services (Kroll), Applicant Hit Ratio Analysis, 2005 (no longer 
available online). iNameCheck studies, see Chapter 4. Title 18, Section 1001, US 
Code, makes it a crime to deliberately falsify or conceal information, including appli- 

confincment and fine of up to $10,000 or both. Whether deliberate or accidental, 

21st Century Competitiveness, Committee on Education and the’ Workforce, House 
of Representatives, September 2002, http://www.gao.gov/new.items/d02717.pdf 
(accessed August 21, 2010); Needleman, Sarah E., Monitoring the Monitors: Small 

Street Journal online, August 16, 2010, http://onlinc.wsj. coL/article/NA^WSJ_PUB: 
SBl000l4240527487037489045754ll983790272268.html (accessed August 21, 







FRAMEWORK 
FOR INTERNET 
SEARCHING 





Internet Vetting and Open-Source Intelligence Policy ■ 153 


Policy 

In any enterprise, government or private, there are four stakeholders with a critical 
need to address the policy applied to Internet searching for investigative and intel¬ 
ligence purposes: the chief legal officer, the chief security officer, the chief person¬ 
nel officer, and the chief information officer. Each of these executives has personal 
operational reasons for needing to address Internet searching, but enterprise strategy 
and risk management require that the four agree on the following simple principles: 

1. Internet searching is a form of open-source intelligence that may, if used 
properly and ethically, contribute important insights in an investigation. 

2. Internet searching should be comprehensive; that is, find a high percentage of 
available information relevant to the subject. 

3. Internet searching results should be screened for accuracy and reliability, that 
is, verified for credibility and pertinence to the subject of interest. 

4. Internet searching, analysis, and reporting should be conducted by experi- 





Internet Vetting and Open-Source Intelligence Policy ■ 155 


include legal and behavioral guidance for employees on posting that complies with 
the NLRB’s enforcement of employee-employer labor relations. 

These observations about enterprise policy on cybervetting and Internet collec¬ 
tion are meant as a starting point. All businesses, agencies, and organizations should 

and other online disclosures relating to the enterprise may include proprietary data, 
enterprise policy should include guidance on the information assets themselves. 


Information Assets Protection 

The following chapters specifically outline procedures to be used for Internet search¬ 
ing for intelligence, but it is important to have an ethical strategy based on core 
tenets. Among core tenets for a business or government enterprise are the following: 








Cybervetting 







Is, Techniques, and Training 


163 










that cannot be trusted. Intelligence analysts do not seem to have great diffi- 

stream press, and experienced Internet analysts will also be able to weigh the 
credibility of online sources. As with all intelligence reporting, when an item 

information to the client while cautioning the client that it lacks verification. 

Reporting of Internet investigative results should be done to the same stan¬ 
dards required of reports from other sources. Topical headings can be used 
to organize the data into related groups. Each item should have a source cita¬ 
tion—the URL from which the item was taken. Where the item may be 
material to a decision, a copy of the web page should be captured (PDF for¬ 
mat preferred) and appended to the report. Examples of reports are included 
in Chapter 19. 


Quality Control 

To provide professional results, Internet intelligence collectors should draft reports 
that are reviewed prior to submission to the client. The reviewer and collector must 
develop and apply methods to ensure that the report of an Internet search is 



analysis can be time consuming, there is an optimal balance in each situation 
between the time/labor available, research goals, and judging when “enough 
is enough.” But, certainly, Google alone is not enough. 

■ Timely, that is, contains up-to-date information, delivered within any 


d include or discount. A key danger in Internet intelligence searching and 
nalysis is the compulsion to continue searching or stop prematurely. The 

he art of the process. 

'air, that is, includes references and details that have a high probability of 


or subjective input from the analyst (including the analyst’s prejudice), and 
adherence to the standards set for the conduct of the process. People are 
rightly concerned about their personal privacy in the Internet age. However, 
individual subjects (and their acquaintances) publicly post a great deal of 
data of potential relevance to an Internet search for background vetting, 
due diligence, or the like. To be fair, a search report must not violate the 


must respect the rights, including privacy rights, of subjects of inquiry. At 
this writing, fear of violating privacy rights or feelings of individuals is the single 
biggest reason why necessary Internet searching is officially avoided by some gov- 


in the intelligence community in the information age, the Internet provides 
just another type of open-source information—another INT, if you will (like 
HUMINT and SIGINT 9 ), perhaps WEBINT or CYBINT. 10 Incorporating 
online findings into all types of intelligence and investigative reporting should not 

information from WEBINT, there is progress being made. For background vetting 
and some types of investigations, additional policies and procedures are required 
to meet the same level of reliability as that found from other sources. The tools, 
techniques, and training, along with quality controls used, will determine success 








168 ■ Cybervetting 


Notes 

2. Holstcgc, Scan, Legal-Worker Database Flawed, National Hiring System Shows 
4% Error Rate, The Arizona Republic , June 30, 2007, http://www.azcentral.com/ 
arizonarepublic/news/articles/0630pilot0630.html?&wired (accessed June 2, 2010). 

3. Federal Rules of Criminal Procedure, see http://www.law.cornell.edu/rules/frcrmp/ 
(accessed August 21, 2010). 

wJw.gpo.gov/fdsys/granulc/CFR-2011-titlc32-voll/CFR-2011-titlc32-voll-partl47/ 
content-detail.html (accessed March 31, 2014). 

which can range from 90 minutes to 40 hours, and can be customized for the class. 

7. Intelligence cycle as described simply by the Central Intelligence Agency (CIA), https:// 
www.cia.gov/kids-pagc/6-12th-grade/who-we-are-what-we-do/the-intelligence-cycle. 
html (accessed April 1, 2014). 

8. Pew Research Journalism Project lists ethics codes from authoritative sources, helping 

ca/online_journalism_ethics/gatckeeping.htm (accessed April 1, 2014). 

9. HUMINT is the intelligence community’s acronym for human intelligence, and 
SIGINT for signals intelligence (INT, short for intelligence). 

10. WEBINT for Web intelligence, or CYBINT for cyber intelligence. 






Chapter 14 

Proper Procedures 
for Internet Searching 


Introductioi 






■ Cybervetting 


provided for them. Investigators who are active in social and professional network¬ 
ing and in tracking people online will become aware of a great deal of privileged 
information, including subjects’ personally identifying information, provocative 
and interesting anecdotes, startling and disturbing human behaviors, and facts that 

enterprise. Because many of todays investigators are part of the very open, highly 
networked world of Internet information sharing, it is especially important that 

entrusted. Periodically updated reminders of their ethical responsibilities are neces¬ 
sary to ensure that these investigators do not divulge information to which they 
have become privy in the course of their work, especially online. Further, the ease 
of collection and reporting of sensitive personal information about subjects and 

the data, discriminate against people who live alternate lifestyles, or otherwise act 
irresponsibly with confidential data. 

impact on their personal privacy (regardless of the fact that they have posted their 
information for anyone to see on the Internet), investigators need to take special 
care to protect the data found. When an investigator finds during cybervetting that 
a photograph posted publicly shows Phil looking funny in his Speedo, one must 

Based on the legal and policy standards reviewed, it appears that litigation is 

the job because privacy and the limits of cybervetting have yet to be fully litigated. 
That probability makes it imperative to have proper policies and procedures for 


Security 

security issues that are of concern to anyone on the Internet but also to additional 

stand the types of dangers they face online, which, while endemic to Internet users 
in general, are magnified by the number of searches conducted, particularly with 

■ Malicious code found on websites, in downloads (e.g., in documents, spread- 
[HyperText Markup Language]) 









Proper Procedures for Internet Searching ■ 175 


of an employee). Generally, investigative records should not be stored on the 
search machine because accidental infection with malware from searching 
could result in unwanted changes or unauthorized access to those files. 


Standard Methodology 


An organization is well advised to incorporate Internet sources into standard oper- 

collection. Based on the specific attributes of Internet searching as a source of infor¬ 
mation, especially as facts found online are used in decision making, it is important 
to have standard procedures in place. 111656 should be consistent with policy and 
constitute a first line of defense for any allegation of unfairness or lack of profes¬ 
sionalism in conducting investigations. A large number of agency heads with whom 
I have spoken about cybervetting have expressed the belief that their liability for not 

ity from what is found. All have expressed confidence in judging facts from fiction 

to other sources with which their investigators are far more familiar. As with any 
relatively new venture, Internet investigations benefit from establishment of norms 

ing advantage of the wealth of data available online. 


of court that is offered as proof in court; sec http://lcgaldictionary.thcfrecdictionary. 
com/Heresay+rule (accessed April 1, 2014). 

April 1, 2014). 

November 25, 2013). Williams, Paul, Organized Crime and Cybercrime: Implications 
definition, http://searchsecurity.techtarget.com/sDefinition/0„sidl4_gcil030284,00. 









INTERNET SEARCH 
METHODOLOGY 




Chapter 15 

Preparation and Planning 


Introduction 


Exploitation of the vast quantities of data on the Internet and accessible databases 
potentially relevant to any topic can be greatly enhanced by preparation. Some 

resource locators) normally used for the type of subject being searched (e.g., people, 
businesses, brands), and some preparations should be done just before and during 
searching. 1 First, frame the question: What is known about the person, entity, or 
topic? Next, the search should be based on the following: 


■ Nature of the data needed: What is reportable? 

■ Purpose of the search (including potential uses of results) 

■ Best sources, including standard search engines and websites 


■ Resources available 


■ Time available (deadline) 


After deciding on an initial search strategy, keyword choices should be made. 

user names, e-mail addresses, and other identifiers that potentially could appear 
in Internet postings and databases. Reverse directories can be consulted for co¬ 
entities close to a subject can include items containing important information 
about the person or entity of interest. It may be desirable to combine keywords 


179 










Preparation and Planning ■ 


Whether in a university library, company research unit, government library, county 
facility, or city library, the librarian has been trained to help the user find where 
to obtain the answers needed. Intelligence researchers often forget that outside the 
agency or company, almost any librarian is pledged to provide unbiased, confiden- 

contain volumes of data on any subject, but also today are apt to provide auto¬ 
mated indexes of publications, people, entities, and topics that can lead an analyst 
to the most authoritative and useful content on the topic sought. Because librar- 

research publications), business profiles, and other sources, they are important 
sources to consider when planning a project. 

The Reference and User Services Association of the American Library 
Association defines reference transactions as “information consultations in which 
library staff recommend, interpret, evaluate and/or use information resources to 
help others meet particular information needs.” 9 Today’s library is likely to provide 
a website accessible to anyone on the Internet for general assistance and to library 
patrons with user credentials for specific services, possibly including access to sub¬ 
references on the Internet. For example, the Library of Congress has posted many 

resources at http://www.loc.gov/ (which includes search engines). The University 
of California at Berkeley posted a search engine tutorial at http://www.lib.berke- 
ley.edu/TeachingLib/Guides/Internet/SearchEngines.html. The three search engines 
Berkeley profiled are Google, Yahoo (which is another manifestation of Bing), and 
Exalead. The Humboldt State University Library has posted a tutorial on research 
strategy by topic at http://www.libguides.humboldt.edu/guides. A tutorial provid¬ 
ing frequently updated international search resources by Emeritus Prof. Wayne A. 
Selcher, PhD, of Elizabethtown College, 10 appears at http://www2.etown.edu/vl/ 

including professional Internet researchers. 

A few hours’ reading of search tips (found by googling “Internet search tips” 

rienced searchers’ skills. Beginners in Internet searching may not be inclined to 
think of themselves as fledgling librarians, but in fact, they are asked to understand 
at least where to find the online directories and catalogs they may need to use for 
any type of search. Having library resources available may save much time and 
expense. When an investigator is starting the search for a new subject in a new 
area, the librarian can probably reduce the time needed to plan the collection by 
suggesting good places to start. Print and electronic copies of such reference works 
as telephone and crisscross directories, biographies, lists of publications, business 

the living as well as the dead), government databases, and scientific resources are 
available through the library. The trend in publishing reference materials, including 






184 ■ Cybervetting 


encyclopedias and directories of all types, favors electronic databases over printed 
reference materials. Once a resource proves useful, the analyst should make a note 
about where to find it again and maintain a list of useful sources. 


Scope Notes 


Hie most important lesson I learned from over 8 years of Internet searching is that, 

references to a subject may not be found, which can lead to the false impression that 
there are no derogatory references. The vast majority of investigations will show 
only favorable or neutral information about the subject. However, an inadequate 
search often misses key references. Examples of poor searching include links not 
reviewed, dependence on one or a few search engines and websites, failure to use all 
available keywords (e.g., name variations), and omitting alternative sources, such as 





186 ■ Cybervetting 


ctions, State Depart 


is list of fore 


s, Food and Drug 


Administration’s (FDA’s) debarment list, World Bank’s list of ineligible c 
and POGO’s list of federal contractor misconduct, to name a few. A list of these 
types of websites appears in Chapter 17. 

quantities of searches of a repetitive nature on short deadlines may consider using 
specialized analysts, who focus on certain types of online records. For example, 
an analyst might be expert in government records from federal, state, county, and 

networking, media, metasearch engines, or Internet chat rooms. Because of the 
need to include a large number of sources and assessments of findings in any search, 
parallel tasking can reduce the overall time needed to complete the assignment. 
Some duplication will result. When another specialist (“reports officer”) is used to 
compile the draft investigative report from the input of the team, the resulting work 
can be more complete, cogent, and fully documented with the content and sources 

itates the production of the final report, which is after all the aim of the exercise. 

expectations are revised based on findings, and follow-up searches on hunches 
provide unexpectedly good data or perhaps wash out. The search plan should be 

tion within the resource and time constraints available. 

Not only is planning essential to achieve efficiency in Internet intelligence pro- 
ut also it is critical to lawful, principled, ethical investigation. Having a 


nalyst and the client from possible claims 
of bias, unfairness, violation of privacy, and unethical conduct. Given the persis¬ 
tent proclivity of some to misbehave, it is likely that they will object and even go 

the organized investigator will be able to demonstrate that the search, analysis, and 
depiction of the subject’s behavior. 


Notes 

1. Hcthcrington, Cynthia, Web 2.0 Investigations that Move Beyond Google, ASIS 
International Webinar, February 17, 2010; Hock, Randolph, The Extreme Searcher’s 
Internet Handbook (Medford, NJ: Cyber Age Books, 2004). 



5. http://www.publicrccords360.com/. 







able provide a solid start, but there is still no substitute for a trained, experienced, 

and report what is needed. Contrary to popular belief, there is no application—not 
even Google—that can easily find everything you seek. 


The Browser 

Using a computer s browser, 8 an analyst collects data from resources online and uti¬ 
lizes Google and other search engines to access websites. Professional investigators 
should become familiar with the functions of their browser when a search is con¬ 
ducted and may wish to experiment with different browsers to select the one most 
comfortable to use in searching. The popularity of browsers is measured differently 

users. Besides Chrome (47% market share in some reckonings), Internet Explorer 
(25% market share), Firefox (about 20%), Safari, and Opera are popular browsers. 9 





Cybervetting 


to know these major engines (by popularity, volume of indexed pages, and potential 
to assist a searcher): 17 


Yahoo (yahoo.com) is reputed to have several billion pages indexed and currently 

appears that a Yahoo search actually employs the Bing search engine. Yahoo 
search ranks by keyword density and integrates its directories and other ser¬ 
vices (which are similar to Google s) well with searching. Boolean search pro¬ 
tocols are much like Googles. 18 

Bing, a Microsoft service, 19 has updated its search engine (since June 2009 called 
a “decision engine”) and in midsummer of 2009 agreed to power Yahoo! 
Search. Bing’s market share was recently over 18%. Bing includes seman¬ 
tic technology from Powerset (purchased in 2008), which reportedly allows 
results to include related searches to help users find information. Images, 

back-end updates and integration with social networking sites, Bing has 

Ask.com, which finds answers to questions by searching its database, 21 was 
reputed to have over 2 billion pages indexed and conducted just over 
3% of searches in March 2010, but currently conducts about 2.4%. Ask 
reportedly ranked results by ExpertRank, the number of the same subject 
pages that reference a site. Refinement of search results through filters, 

attempt to allow users to phrase questions in “natural language,” as well 
AOL search (now powered by Google), which owns MapQuest, enhances 


(AlltheWeb.com). Gigablast claims to do “real-time spidering.” Netscape 
search is powered by Google. Snap.com is powered in part by Gigablast, 
Smarter.com, SimplyHired.com, and XI Technologies and enhanced by 
Ask.com. 23 These search engines may not rank highest in number of searches 
conducted, pages indexed, market share, or elegance of presentation, but all 
have enjoyed a following because of their success in finding what a large num- 

has reduced the choices of search engines, legacy offerings are disappearing, 
and the trend is toward the top four. 


The choice of the search engines listed should not be interpreted as a rejection 
These other search engines may not provide any more or better results than the 





Search Techniques 


largest ones, but on occasion, they manage to find and rank the highest useful refer¬ 
ences to the subject of a particular search. It is not how many references, but which 
terms and pages a search engine may have indexed, cached, and presented that will 
determine its success for an individual search on a specific occasion. 


Metasearch Engines 

quickly, so each analyst must decide how many search engines to use and how 
much time should be spent reviewing results. One approach is to use metasearch 

results from each, and then amalgamate findings into ranked pages of links. 25 The 
results usually contain fewer of the component engines’ results and present them 
in a different order. Three of the largest and perhaps most successful metasearch 


Clusty.com (Yippy.com): combines results from multiple search engines, includ¬ 
ing Bing and Ask, as well as blog search engines into folders of related refer- 

Mamma.com: uses combinations of sources 28 and offers web, news, images, vid¬ 
eos, and local categories of searches 

The advantage of using metasearch engines in addition to others is that some¬ 
times an analyst can find key references to the subject more quickly and likely 
lists of websites to pursue further information collection. A disadvantage is that, 

are presented, and some relevant results are missed because many fewer indexed 
pages are cached. 

Companies like Google, Bing, Exalead, and Copernic also provide search soft¬ 
ware to companies for internal use. Enterprise search engines and Copernic are 
discussed in Chapter 18. 


Finding Search Engines 

Among the ways to refresh and validate the tools used in Internet searches 
is to conduct research periodically into search tools and sources them- 

(http://searchenginewatch.com/) and Yahoo’s catalog of search engines and direc- 
Web/Searching_the_Web/Search_Engines_and_Directories/). 





content of social networking sites about persons, labeling their service as cyber¬ 
vetting. Publicity about several companies’ services suggests that about 35 social 
networking sites are included in systematic automated collection for these services. 
Based on research for this book, it appears that a wealth of information may be 
available about a person from social networking sites. However, there are many 

vide valuable information about people and other topics. Restricting cybervetting 
collection to a limited number of social network sites omits not only those social 

YouTube (a Google property) hosts videos and currently holds massive numbers 

The size of hosted content can be illustrated by a 2008 court case 32 in which a 
judge reportedly ordered YouTube to turn over about 12 terabytes of data docu¬ 
menting users’ viewing habits to Viacom, which sued YouTube over unauthorized 
display of copyrighted materials, including 150,000 clips that had been viewed 
1.5 billion times. Although videos can be an important source of information and 
documentation of misbehavior, they are currently searched by keyword, title, or the 
poster’s identity (usually a nickname) and not by matching video content, such as 


MySpace users’ profiles have nicknames. Nicknames can be handy for 

address), but investigators must be careful because there are some f 
names used by several or even many people. MySpace links users witl 
their profiles; has blogs, photos, and videos; and specializes in music a 
ment choices. Bands, musicians, and performers have MySpace pron 

employ users’ content without permission, whether posted publicly or 
audience through privacy filters. However, free membership, most mei 
to display their content publicly, and indexing through search engines 

Twitter is the largest “microblogging platform,” with over 645 r 
tered and 115 million monthly users (according to some research), 35 wi 




networking sites that may also provide information; this includes those listed in the 
top 15 social networking sites. The popularity of such sites is apt to evolve as 
the social networking marketplace changes. One of the trends visible in recent 
years is the posting of photos, videos, and other content “in the Cloud,” accessible 
to users on multiple devices. Publicly accessible data indexed by search engines may 

A separate category of popular social networking websites concentrates on find¬ 
ing mates, significant others, dates, and sexual partners; some of these sites have 

users), PlentyofFish (23 million monthly users), Zoosk (11.5 million monthly 


monthly visitors). Many different types of dating and friendship websites exist 
for niche groups, including ones based on religion; sexual orientation; ethnicity; 
national origin; international affairs (“Russian women,” “Asian women”); biracial 
dating; wealth; and activity preferences. The AshleyMadison.com trademark is 
“Life is short. Have an affair” and describes a type of activity that has enough of a 
following online to warrant investigators’ interest. Most of these specialized social 

those approved to become members. Many dating sites appear to cater to those 
seeking PG-rated social experiences; others offer an X-rated approach. Generally, 




Search Techniqt 


201 


charge fees; many generate spam, display false but enticing offers, include explicit 
content on their pages and in subscriber communications unsuitable for most 
workplaces, display online porn offers, and even act as hubs for identity theft and 

of nudity, sex acts, alternative lifestyles (e.g., bondage and discipline, fetishes, group 
sex), and other potentially controversial content. Display of such images and audio 
could be considered offensive and create a hostile work environment under Title 


open new browser windows with explicit content. Among the porn-social sites 
are AdultFriendFinder.com, XTube.com, Fling.com, WildMatch.com, even some 
links found on Craigslist.org, and many more. Some claim to be adult sex classified 
advertising. Some have been widely criticized (e.g., AdultFriendFinder) for fraudu¬ 
lent postings and links. Analysts need to consider whether to use a proxy server 
in accessing such sites (to shield the origin of the inquiry and protect the analyst’s 

on adult sites use nicknames and postings that are not generally indexed by search 
engines unless they are also listed elsewhere online. Because adult sites may be ven¬ 
ues for misbehavior, such as violating a company’s authorized computer use policy, 
an investigator may need to sign up to search for a subject on a particular site. 

Another category of website espouses or supports causes, advocacy, protests, 


focus on this type of site if civil disobedience, vandalism, or violence is threat¬ 
ened against a person or entity. Examples of protest groups that have engaged in 
illicit activities and have been accused of terrorist, animal rights, or eco-terrorist 
acts, include animal rights groups (e.g., WAROnline.org, SHAC.net, Animal 
Liberation Front at animalliberationpressoffice.org and animanliberationfront. 
com, DirectAction.info, People for the Ethical Treatment of Animals at PETA.org 
and StopAnimalTests.com) and environmental rights (Earth-Liberation-Front.org, 
OriginalELF.com, Protest.net). Other activism is focused on such causes as peace, 










204 ■ Cybervetting 


Directories 

Web directories have provided a vital resource for many years, giving an encyclope¬ 
dic list of topics in every major category and subcategory area, with links to sources. 
Open Directory Project, a free service (http://www.dmoz.org/, now in partner¬ 
ship with AOL), is the prime example of a resource where subject matter experts 
(“volunteer editors”) have listed the best places for a user to find information on the 
chosen topic. Varieties of commercial directories are also available, such as Yahoo. 




Search Techniqi 


207 











lirectory/federal/index. 
has a directory of pro- 


itabase at http://www. 




Finding Sol 


Motley Fool (Fool.com) focuses on stocks and users, like those on Yahoo message 
boards, entertaining not only straight news items but also commentary (sometimes 
quite critical and factually questionable) about companies and their leaders. 


News 

Many current and several-year-old news items are likely to be found by search 








222 ■ Cybervetting 


a geographical region, and in some cases provide the IP address of the mail 
server used by the sender. It may not be possible to identify the individual 
sender from a dynamic IP address unless the mail service provider will agree 
to determine who used that IP address on a specific date at a specific time 
(shown on the message—if the time/date stamp is accurate). Most ISPs and 
mail service providers demand a legal process (subpoena or warrant) for an 
outside investigator to identify senders by IP address. Law enforcement or 
court intervention would be needed for that step. With a fixed IP address, 

identified. Internal enterprise investigators may be able to use IT records to 
identify the sender of an e-mail launched within the enterprise. 

4. In attempting to identify the sender of an e-mail, do not overlook analysis 
of the possible suspects’ activities at the time that the e-mail was sent and 
include an analysis of the user name, content, and context of the message 
itself. These often provide clues to the sender’s identity. Although it is possible 

possible that the sender used the same “anonymous” e-mail address or handle 
Internet. Some e-mail accounts contain public profiles identifying the user, 
business, and other sites. 

5. When all else fails, it may be possible to engage the sender of an e-mail in an 
exchange of messages that could lead to his or her identification. This ploy 

not tipped off that someone is trying to identify who he or she is and requires 
that the person answer the e-mail. If the sender is determined to remain 
anonymous, he or she may never return to the e-mail account used. However, 
some people are curious to see if there is a response to their provocation. 


Commercial Database Providers 

An increasing number of database companies provide registered clients such reports 
as business credit (e.g., Dun & Bradstreet at dnb.com and Experian at smartbusi- 
nessreports.com), employment verification (e.g., TheWorkNumber.com), and edu¬ 
cation verification (National Student Clearinghouse at StudentClearinghouse.org). 
As services continue to increase, databases like these should be sought out in peri¬ 
odic updates of resources available to the online investigator. The goal is to utilize a 
number of different sources, fusing the results into findings needed. 

As an analyst becomes more experienced and comfortable with Internet investi¬ 
gations, it is almost inevitable that the analyst will be asked to find out something 
that simply is not available on the Internet. There are many types of misbehav¬ 
ior, including malicious and destructive communications, hate speech, bullying, 






Finding Sources ■ 223 


stalking, slander against individuals and organizations, and postings corrosive of 

people, as do extreme political, religious, and moral beliefs. Personal disputes and 
sexual pursuits arise frequently in all groups. Analysts are asked to identify anony¬ 
mous actors using the Internet to carry out misbehavior. Although every assign¬ 
ment may prove possible to accomplish, the ability of users to hide behind virtual 
identities can erect an impenetrable barrier. When a high degree of difficulty is 
found, it is important to enlist the help of others, such as information technology 
(IT) systems administrators and “white-hat” hackers, who may be able to trace 
activities using their systems security methods, including system logs, firewalls, 
user-monitoring tools, and Web-tracing tools. Often, the subject is a person within 
the organization itself, even if the communications appear to come from outside. 
The analyst contributes to the identification of the subject and resolution of the 
case, even if it proves impossible to use conventional Internet investigative meth- 

ethical constraints). Collaboration with others with different skill sets has proven 
to add value to all types of Internet investigations. 

Although it may appear that the URLs of the suggested sources listed make up 

If an analyst were to use a substantial number of the URLs in manual searches, 
it could take a long time. Further, searching is step 1; review, filtering, capture, 

improve efficiency, so that is the topic of the next chapter. 


2. Hetherington, Cynthia, and Stankey, Michael L., The Manual to Online Public Records, 
The Researchers Tool to Online Public Records and Public Information, 6th edition 
(Tcmpe, AZ: BRB, 2008). 

3. Wikipedia, http://en.wikipedia.Org/wiki/Web_2.0 (accessed April 21, 2014). 

4. Wikipedia, http://en.wikipedia.org/wiki/Folksonomy and http://en.wikipedia.org/ 
wiki/Mashup_%28web_application_hybrid%29 (accessed April 21, 2014). 

5. Social Networking Fact Sheet, Pew Internet and American Life Project, September 
2013, http://www.pcwinternet.org/fect-sheets/social-networking-fact-sheet/ (accessed 
April 17, 2014). 

6. Carey, Rob, Navy CIOs blog, http://www.doncio.navy.mil/Blog.aspx (accessed 

7. Smith, Aaron, Mobile Access 2010, Pew Internet and American Life Project, July 7, 
2010, http://www.pewinternet.Org/~/media//Files/Rcports/2010/PIP_Mobile_ 
Access_2010.pdf (accessed August 22, 2010), which illustrated rapid growth in wire¬ 
less Internet use in all types of devices, including the fact that as of May 2010, 59% of 









Automation of Searching 


Enterprise Search Middleware 

A whole branch of applications has been created for corporate data mining to 
“know what we know” from massive databases that all large enterprises now have, 
including those stored “in the cloud.” These intranet applications often can extract 
data from multiple different types of databases through application programming 
interfaces that convert a query into the right language for each individual database. 

and present them to the user in a way that is simple and usable, such as converting 

or spreadsheet. Besides in-house shared data storage, one of the databases used for 
inputs into the middleware can be the Internet. 2 However, the unstructured data 
formatting and searching dynamics of the Internet are formidable challenges for 
retrieving identifiable information and integrating it into the mix. Often, middle- 

and other renditions that essentially allow the user to look at large amounts of 
information charted over a timeline, with links, trends, developments, anomalies, 
and other attributes highlighted, including grouping both identical and similar 

ing, such as pricing new products made from complex components imported from 

petition, or timelines require action or change, process management and logistics 
have improvements, and so on. Several programs facilitate data mining for police 
and corporate security investigators by processing voluminous information in gov- 

cost from hundreds of thousands to millions of dollars, including several thousand 

has access to a large agency’s customized systems and budget, such tools probably 
are unsuitable or unaffordable for Internet searching. Those who do use custom 
systems inevitably receive information that is more useful from their in-house data¬ 
bases than the Internet because the systems are not optimized for thorough Internet 

search engine, likely Google. 

gence and investigative agencies. An example is i2’s Analysis Product Line, includ¬ 
ing Analyst’s Notebook, 3 which provides an integrated suite of database software 
designed for the investigator looking for relationships, patterns, and trends (used, it 
is claimed, by over 2,000 organizations worldwide, including government agencies). 4 
A competing system is Sentinel Visualizer, which claims to provide advanced link 

Raytheon’s Digital Information Gateway (Visual Analytics) and Navagent Surf3D 










Automation of Searching ■ 229 


Best-in-Class Desktop Tool 

Currently, an example exists of a commercial off-the-shelf tool well suited for Internet 
investigators; this tool is known as Copernic Agent Personal (free) and Copernic 
Agent Professional (licensed) and is made by a Montreal company (Copernic.com) 
that also owns the classical metasearch engine Mamma.com. 15 Copernic’s free desk¬ 
top Internet search tool is good, but its turbo-charged Copernic Agent Professional 

Copernic Agent for personal use appears on the website, but the professional version 

sion has allowed a user to do customized searching efficiently and facilitated review, 
filtering, and reporting. In addition, Copernic makes desktop and enterprise search 

follow and update website activities and topics, and another tool, Summarizer, to 
extract the essence of text found to facilitate the reporting process. While Copernic 
Agent Professional was not the only tool available, its success among private and 
corporate investigators, as distinct from law enforcement, qualified it to be the only 


Investigative Search Tool Requirements 

large numbers. Copernic, for example, may query more or less 200 sites and return 
results in a few seconds. Filtering the results can be more efficient when the appli¬ 
cation allows the analyst to discard references that are false and select those that 
need in-depth review quickly and easily. Code that helps identify true references by 
name resolution (entity resolution) can help the analyst to filter possible references 
to a subject quickly and home in on those most likely to be identifiable. Much 
of the postsearch processing still must be the responsibility of the human analyst 
because computers are unable to make final identity and verification judgments. 

Today, massive databases of public and private data are offered for a fee to 
subscribers of services like those provided by LexisNexis (e.g., Acurint, furnished 

which are careful to verify subscribers’ lawful purpose for access, include TLO and 
CLEAR. 18 One of LexisNexis’ most successful capabilities in delivering records ser¬ 
vices is the ability to mine huge databases, reportedly carried out by advanced corn- 

subject of a query and pull related information into a cohesive report. As remark¬ 
able as the Acurint systems are, it is revealing that similar systems are not available 
to search for, identify references to, filter for accuracy, and compose a report from 






Automation of Searching ■ 231 


of automation is that the analyst’s time is focused on assessment and reporting of 
results rather than a manual process of search, review, select, capture, and report. 

efficient exploitation of open-source intelligence and allow processing of more sub¬ 
jects more quickly and with better results. 


A Homegrown Solution 

To solve the problem of collection online, my company developed our own propri¬ 
etary tool for analysts to use in conducting searches. It functions much like a group 
of search engines bound together into a multithreaded search engine. The tool is 
loaded with URLs that usually produce the best search results (major search engines, 
alternative search terms such as exact match, and a variety of social networking and 

address, phone, postal address, or up to 10 keywords). The predetermined searches 
are done simultaneously in a few seconds. The analyst then scans the results from 

allowing the analyst to update the queried URLs as needed to fit the purpose. It 

in the process of building our next-generation search-and-analysis tool, which we 
hope will reduce the time required to analyze search results by capturing references 
in a database from which identifiable information can be scanned, reviewed, and 
accepted or rejected efficiently and reports can be generated automatically. 


Reducing Analytical Time Using Automation 


of open-source Internet intelligence on any topic, including the search, filtering, 
analysis, composition, and reporting. Each of the steps mentioned is actually a 

new terms found in results. Here is how we have managed to reduce the time 
needed for an investigator to report results of an Internet search: 


■ Do as many searches as possible simultaneously, using available automation, 
then search key URLs from a list manually. For a new practitioner, we rec¬ 
ommend using Copernic Agent, search (Google and Bing) and metasearch 
engines, and URLs mentioned in the previous chapters, including those best 
suited for the case, to ensure that the search is 


■ Review and select results for inclusion in reporting, capturing images of 
Internet pages deemed to contain substantive information. 








Automation of Searching ■ 233 


storing the computer activities of pirates, fencers, drug dealers, thieves, crackers, 
credit card fraudsters, and spammers. Once a channel for illicit activities is identi- 

marketers, researchers of all kinds, and curious individuals to find intelligence on 
almost any topic in the same way. 


The Human Interface in Internet Investigations 

A colleague in law enforcement complained privately that today's crop of incoming 

seems reluctant to use interviews, field investigation, and traditional surveillance 

in reality, human interaction must be used to identify the websites of greatest inter¬ 
est and to find out the methodology and motivation of offenders. With only one 
or a few undercover operators, perpetrators’ Internet communications systems can 
be identified and monitored by intelligence officers. Coordination among officers 

best surveillance and witness elicitation possible. Among the sources used for this 








236 ■ Cybervetting 


6. Digital Information Gateway (Visual Analytics), a Raytheon offering, http://www. 

Surf3D Pro, http://www.navagent.com/ (accessed April 22, 2014). 

7. International Association of Crime Analysts (IACA) evaluation of crime analysis soft- 

9. Guardian Digital Forensics tool reviews, http://digitalforensictools.blogspot. 

com/2009/02/webcase-vere-software.html (accessed April 22, 2014). 

10. http://www.iaca.net/resources.aspPCatsSoftware (accessed April 22, 2014). 









Chapter 19 


Internet Intelligence 
Reporting 


Introduction 

Internet intelligence, it appears that the highest risk is in the reporting and subse- 

the computer used, which might be legally discoverable, even if no report of find¬ 
ings is made. Reports may be oral or written, but it is clear that even when formal 
reports are not written, the activities of the web searcher are chronicled in one form 

prises allow anyone to search any topic, to process any information gained as they 
wish, and to reach whatever conclusions or decisions they believe are appropriate 
based on their findings. Major search engines store records of queries not only on 
the workstation of the researcher, but also on proxies, firewalls, and search engine 
servers, identifying queries with Internet protocol (IP) addresses. A serial murderer 
in the Midwest was convicted based in part on evidence of searching and mapping 

to show bias or unfair treatment. If a pattern of unfair practices were suspected 
civil or criminal proceedings. 

Although work-related googling is widely allowed, some agencies and enterprises 

A problem created by forbidding cybervetting is that enterprise computers are apt 
to contain vestiges (evidence) of unauthorized web searching by employees, and 


237 








mcnts for the client. A (fictionalized) example might be the following: 






Entity ownership and control, including Securities and Exchange Commission 
(SEC) filings 



Internet Intelligence Reporting ■ 243 


Business credit report (e.g., Dun & Bradstreet, if not covered previously) 
History 

News media reports 

individuals and organizations have multiple websites, and online activities may or 
may not be a large portion of the report, depending on such activities. 


Source Citations 

There are two widely used methods of source citations in open-source intelligence 
reports, one in which the sources appear directly beneath the item reported and 

appended to the item, referring to a citation appearing in a section at the end of 
each page or, more often, at the end of the report. Normally, citations are not used 



■ Cybervetting 


a decision against a merger or pursuing an intellectual property theft case against a 
competitor), it may be prudent to point out the basis of the item’s attribution. Following 
is a fictionalized example from an actual case: 


online as part of his activities as a deader in the Hundred Years War massively 


Source: http://www.hundredyearswar.com/audio/839021hfnaso_4f 
[Analyst’s note: The subject was identified by the tag “Pillager” on the audio file at 

Facebook profiles, as well as revealed in a Variety interview of April 1, 2014, in which 


dentials at XWR Systems, where he is employed as a software security programmer, 
together on all of the above profiles found, as well as in the Variety story.] 


The analyst should carefully note and record (if not report) all of the indicators 

a good practice even if there is no question asked or denial on the part of a subject 
that it is a valid attribution. The analyst will find that there are many ways to link 
an individual or entity with behavior, and often, it only takes an alert observation 
to record ample evidence of the connection. Note that it is possible for a hacker to 
impersonate someone else online and post items that seem attributable, but are not. 


Verification 

Attributing a particular behavior or posting to a subject may reflect a single instance 
or may be part of a pattern of behavior. Although it appears that many Internet 
users have multiple virtual identities (user names, nicknames, handles), it is not 

■ List all or many of his or her different nicknames in a Facebook or other profile 

■ Reveal and publish his or her true name and nickname in a single communication 

Finding the virtual identities used by a subject assists the Internet investiga¬ 
tor to find all or many of the instances where online behavior is observable and 










that this tactic can be unethical, especially if the subject is duped into believ¬ 
ing that he or she is dealing with a real friend. Impersonation may be in con¬ 
flict with of state or local laws, especially if something of value is sought and 
obtained from deception. However, if the investigator pretends to be a fellow 
alumnus or other “friendly stranger” and is accepted by the subject, then any 
admission made by the subject could be considered freely made. This type of 
elicitation should be done by those trained in the art and supervised to pre- 

illicit activity by anyone, but can ethically be done to elicit information from 
a subject willing to enter a discussion. 



and explain the potentially troubling behavior found. If the subject continues to 

subject with a request for an explanation. At this point, as with the entire interview, 
the subject can elect to tell the truth, deny the truth, or explain why the reported 

verify or rule out use of the findings in the report or in adjudication. 

new playground, as well as a place where business and government conduct much 









lies to investigators, who can inadvertently download child pornography in the 

ldren, by an act of Congress, handles reports of child exploitation, including 
d pornography. Further information is available on their website (http://www. 
singkids.com/home), and specific child exploitation guidance can be found at 
>://www.missingkids.com/Report. 






Ilicit Websites and Illegal Behavior Online ■ 251 



companies devote a significant number of resources to securing users’ identitie 
and transactions against criminals whose advantage stems from the popularit; 

online porn, among which are inappropriate and offensive materials displayed 01 
workplace screens; illegal materials, including child pornography captured by an< 


Unauthorized Use of Computer Systems 

Federal and state laws forbid unauthorized access to and use of computer systems, 

disabling proprietary systems. There is a subculture of Internet users who believe 
that it is their right, if not legal and ethical, to log on to any system that allows 









Illicit Websites and Illegal Beh 








■ Cybervetting 


time in an activity such as using computers is inevitably going to make mistakes 
and leave clues and evidence of their activities. 

What is similar about the average amateur subject of Internet investigations and 
the professional cyber warrior is their humanity. Humans are error and accident 
prone. Investigators focused on the most professional and determined adversaries 
such as organized criminals, terrorists, and cyber warriors should not assume that 
the investigation is impossible or too difficult to accomplish. In over 45 years of 
experience, it has never ceased to amaze me how frequently intelligence officers 
forget or neglect to follow procedures and, by doing so, allow counterintelligence 
to discover their activities and minimize their effectiveness. Anyone can make a 

are linked. It is the Internet analyst’s job to find the mistakes and links and see how 

The most serious threats to business and government computer systems include 
talented and determined individuals, cyber warriors, who will be among those 

investigation could be one of them and be prepared to find his or her tracks online. 


Notes 

1. Census Bureau 2013 fourth quarter e-commerce report, http://www.ccnsus.gov/retail/ 
mrts/www/data/pdf/ec_current.pdf (accessed April 23, 2014). 

justice.gov/criminal/ceos/ (accessed April 24, 2014). 

3. Ibid. 

No. 41, Community Oriented Policing Services, US Department of Justice, 2010, 
http://www.cops.usdoj.gov/Publications/e04062000.pdf (accessed April 24, 2014). 

5. Patrick, Erin, Employee Internet Management: Now an HR Issue, Society for Human 
Resource Management Magazine, http://www.shrm.org/Publications/hrmagazine/ 
Editorial Content/Pages/CMS_006514.aspx (accessed April 25, 2014). 

6. PriccWaterhouseCoopers (PWC), Key findings from the 2013 US State of Cybercrime 
Survey, cosponsored by the Software Engineering Institute CERT Program at 

2013, https://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/ 

strategies.html; Comprehensive Study on Cybercrime, United Nations Office on Drugs 
and Crime, http://www.unodc.org/documcnts/organized-crimc/UNODC_CCPCJ_ 
EG.4_2013/CYBERCRIME_STUDY_210213.pdf (all accessed April 24, 2014). 

7. The Open Security Foundations DataLossDB gathers information about events involv¬ 
ing the loss, theft, or exposure of personally identifiable information (PII). Sec http:// 






1 Websites and Illegal Behavior Online ■ 


8. Op.cit. 

9. Hacking tools—notice they are also security tools—are described in http://sectools. 
org/ (accessed April 24, 2014). 

10. Bialik, Carl, Putting a Price Tag on Film Piracy, Wall Street Journal, April 5, 2013, 
April 24, 2014). 

11. Directors Guild of America, spring 2010, http://www.dga.org/craft/dgaq/all- 
articles/1001-spring-2010/internet-issues-piracy-statistics.aspx (accessed April 24, 

Institute for Policy Innovation, IPI Center for Technology Freedom, October 2007. 
13. Moses, Lucia, New Report Says How Much Advertising Is Going to Piracy Sites $227 
million in 2013, Ad Week, http://www.adweek.com/ncws/advcrtising-branding/new- 

Report_052213.pdf (accessed April 25, 2014). 

15. Testimony of Larry M. Wortzcl before the House of Representatives, Committee on 
Energy and Commerce Subcommittee on Oversight and Investigations, July 9, 2013, 
http://docs.housc.gov/mcctings/IF/IF02/20130709/101104/HHRG-113-IF02- 
Wstate-WortzelL-20130709-Ul.pdf (accessed April 25, 2014). 

16. Almeling, David, Snyder, Darin, Sapoznikow, Michael, McCollum, Whitney, and 
Weader, Jill, United States: A Statistical Analysis of Trade Secret Litigation in Federal 

article.asp?articfeid=97l50 (accessed May 5, 2010); Yager, Loren, director of interna¬ 
tional affairs and trade, GAO, Intellectual Property, Risk and Enforcement Challenges, 

(accessed June 1, 2010). 

17. Products identified as involved in IP theft are from cases known to me. 

030309.html (accessed April 25, 2014). 

19. Markoff, John, and Barboza, David, Academic Paper in China Sets Off Alarms in US, 
New York Times, March 10, 2010 (accessed April 25, 2014). 

20. Chinese Academics’ Paper on Cyberwar Sets Off Alarms in US, New York Times, 
March 21, 2010, http://www.nytimcs.com/2010/03/21/world/asia/21grid.html? 
pagewanted=all (accessed April 25, 2014). 

21. Liang, Qiao, and Xiangsui, Wang, Unrestricted Warfare, Senior Colonels, Chinese Peoples 
Liberation Army (Beijing: PLA Literature and Arts Publishing House, 1999). The 

http://www.e-r.info/?p=3845 (accessed April 25, 2014X which noted:^‘In 1995 the 
General Wang Pufeng, considered as the ‘father’ of Chinese doctrine of Information 

ties or the destruction of enemy troops, but the destruction of the enemy’s will to resist. 





Model Cybervetting Investigative Guidelines ■ 263 


is equally important to verify the applicants honesty and candor and see if there is 
more online (including items posted by others relevant to the subject). 


Model Internet Search Guidelines 

These Internet search guidelines shall be applied when ar 
ducted for an investigative purpose, including searches for gathering background 

ducting investigations for due diligence; to protect or resolve security issues with 
information systems; to gather evidence of illegal activities; and for investiga¬ 
tions and intelligence operations conducted at the direction of the legal, human 
resources, information technology (IT), and security departments. 


■ Internet searches will be conducted in a thorough, professional manner 
to achieve optimal results either in-house or through an authorized vendor to 
ensure that they are conducted 

- In substantially the same manner for all individuals of the same type 

■ In accordance with legal, ethical, and enterprise requirements 


Internet searches will be conducted, to the extent possible, 


■ Efficiently, within the time, information systems, client requirements, and 
up-to-date methodology available 

■ Thoroughly, accessing and retrieving data from as comprehensive an array of 
resources as possible 

to find and attribute information correctly 

■ To meet the stated needs of the client within enterprise policy 

Results of Internet searches will be analyzed and reported in accordance with 
the following criteria: 


■ Attribution of information to individuals) will be supported with evidence, 
including images of web pages found and summaries of references, with 
specifics that verify attribution, along with any indication of limitations or 
conflicts with items attributed to the subject. 

■ Information that could tend to mitigate, refute, or shed doubt on behavior 
attributed to an individual will be reported along with that which is attributed. 

■ Information verifying the subjects background or activities will be reported, 
along with substantive information that conflicts with details provided by the 




Model Cybervetting Investigative Guidelines ■ 265 


management unit, and subjects should be provided an opportunity to address 

express an intent to adhere to all applicable requirements. This process will be fol¬ 
lowed when a group of candidates deemed otherwise equally qualified for a position 
includes one or more with derogatory Internet search findings. The process will be 
carried out by trained staff and address issues raised to determine the 


Facts and circumstances (mitigating or otherwise) 
Seriousness of and culpability for any misbehavior 
Dates of occurrence 
Likelihood of recurrence 


A decision should be made on the subjects competitive position as a candidate 
based on the findings from the review. 

All personally identifying information involved in an Internet search, report- 

unauthorized disclosure, using approved enterprise processes. When the Internet 
search and personally identifying materials are no longer needed, they should be 


Authorized Internet Search (Cybervetting) Personnel 

Those conducting Internet searches (cybervetting) under the guidelines must be 
trained; must demonstrate capability with the proper systems, methods, and judg¬ 
ment needed; and should be experienced in Internet investigation. If in-house, the 
unit should be trained, equipped, and audited to ensure fairness and efficiency. If 
Internet searching is outsourced, the provider should be contracted to meet enter- 

cally for accuracy, timeliness, and adherence to requirements. 

Among the attributes necessary for Internet analysts are strong ethics; an under¬ 
standing of the types of information found online, major search engines, tools and 
techniques, the legal and regulatory issues that might arise from certain findings, 
report writing, and investigative documentation; discretion; and familiarity with 
security principles. Analysts should be trained in using automated search tools. 
Less-experienced analysts should be supervised and mentored to ensure that their 

visors prior to presentation to the client. Because reliability, credibility, attribution, 
and verification are particularly important in Internet investigations, analysts and 
supervisors of reporting should pay particular attention to 









Chapter 22 

A Model Internet 
Investigation Policy 


sented by the Internet. Significant security and personnel suitability iss 
ated when individuals engage in illegal, illicit, and unethical behaviors c 
behaviors include 


: personal pursuits tl 
, may expose systems 
Dlogy (IT) resources, i 


In addition, large quantities of data 

acquisition entity, or other individuals wl 
Such references may include informatic 


Kip with the enterprise, 
il bearing on decision 









Cybervetting 


regulations and withstand possible outside scrutiny. 1 These standards do not pre- 

rized purposes other than investigations. 

Following is a generic enterprise policy for Internet searches: 


Enterprise Internet search standards and guidelines shall be followed when Internet 


Key Considerations 


Internet searching in investigations: 


■ Some individuals may not realize that material posted online may be avail¬ 
able publicly. 

other content that could create a misimpression of a persons behavior, char- 


■ Some information may concern an individuals protected class, including 
employment actions under Title VII of the Equal Opportunity Employment 

■ More than one individual may use the same e-mail address or user ID online, 
thus complicating the identification of the person who posted specific materials. 

tors regarding Internet postings should be evaluated (e.g., humorous items). 


Higher-Risk Candidates 

Certain categories of individuals may be considered to represent a higher likeli¬ 
hood of having relevant Internet materials that could have an impact on enterprise 

tion, including 

■ IT professionals and systems administrators 

■ Website designers, software authors, and programmers 



A Model Internet Investigation Policy ■ 271 


■ Persons with access to the highest levels of sensitive data, including executives 
and managers and those in a position to compromise devices or networks, 

■ Sworn personnel of law enforcement, intelligence, military, security, execu¬ 
tive, and similarly demanding positions 

■ Those with a prior history of extensive computer/Internet use 

■ Those with a prior history of computer systems abuse or online misbehavior 

■ Anyone about whom indications of improper Internet use arise from disclo- 


Application Procedures and Forms 

Internet investigations for background vetting (cybervetting) should be supported 
by application procedures and forms that strengthen and document the notice-and- 
consent process for candidates, elicit information to be used in Internet searches, 
and protect the privacy of individual applicants by limiting the data required (e.g., 

wish to include a policy statement about cybervetting, such as that a hiring deci- 
to those used already 


■ Notice that the background investigation will include cybervetting 

■ A signed consent form acknowledging the above 

■ Internet-related questions as part of the application form, which should ask for 

- E-mail addresses, user names, and nicknames used online 

- Websites, blogs, online communities, and profiles used frequently, includ- 

- Existing or past postings that might be considered offensive or illicit 

- Instances of disciplinary action or sanctions for misuse of an informa- 

- Other questions deemed appropriate for the computing environment of 
the enterprise 

The current state of the law at all levels makes the issue of prior notice and con¬ 
sent for cybervetting debatable. Currently used notice and consent forms autho¬ 
rizing a background investigation may be sufficient for many enterprises. Most 
application forms ask for all the names used by the applicant, but often employers do 
not require a listing of all of the candidate s e-mail addresses and user names, which 

is preferable to its inclusion without notice, but many attorneys believe that the cur¬ 
rent process can include cybervetting at the discretion of the employer. 




Cybervetting 


They argue that when the applicant understands that prior employers, refer¬ 
ences, associates, and records will be consulted to verify his or her qualifications 
and eligibility for the position, addition of public Internet records is no more intru¬ 
sive than the rest of the background investigation. Those arguing against searching 
without notice point out that some of the posted materials were not intended for 
viewing by prospective employers. No case law appears to back up this argument 


Legal Issues 


In the absence of legislation, litigation, and a history of cybervetting, every enter¬ 
prise properly should consider measures to handle those relatively few instances 
(6% to 30% of those cybervetted, in our experience) for which derogatory infor¬ 
mation from Internet investigation could result in an adverse finding. Despite the 
percentages, even one or a few individuals can represent a significant risk of large- 
scale loss. Background investigations, including cybervetting, are often conducted 

must be documented, and the candidate may be legally entitled to an explanation 
under the Fair Credit Reporting Act and related federal laws and regulations if the 
cybervetting is conducted by a third party. 

The subject is the person in the best position to verify findings, including 





A Model Internet Investigation Policy ■ 


activities. 3 However, if illegal or prohibited activities or derogatory postings are 
suspected, the best option for the candidate and the employer may be to have the 
candidate show the investigator the postings in question. Several chiefs of police 
have stated that Internet data are too important in judging the trustworthiness of 
candidate police officers not to require them all to log in and show an investigator 
their online profiles. This approach avoids violation of user agreements that prohibit 
sharing passwords to accounts, while allowing the candidate to provide a guided 
tour that demonstrates and explains postings. 

Illegal activities may be detected by Internet searching. A common crime is 
c, and software via file-sharing groups 

or to adjudicating a candidacy because 
common misdemeanors and misbehavior are likely to be encountered, and some 
standard is better than none. Examples include 

■ Frequent, high-volume, illicit file sharing in which a candidate engaged 

■ Underage drinking and illicit drug use 

■ Use of work resources (e.g., computers, time, and materials) for personal 

■ Unauthorized access to, taking, disclosure, alteration, or deletion of propri¬ 
etary data 


copyright violation by collecting hlms, i 


Confidentiality 

It is important to the integrity of the Internet investigative process that the confi¬ 
dentiality of the inquiry and any data with personally identifying information be 

periodically in conjunction with related enterprise systems. When no longer 
needed, confidential, personally identifying data should be permanently deleted. 


Ethics in Investigations 

It is important to set limits on methods used during cybervetting to avoid those 
that could be considered unethical or illegal. Examples of ethical principles include 
the following: 


■ Search methods must not violate laws or regulations. 

■ Internet investigators should abide by authorized use policies (AUPs) of web¬ 
sites to the extent possible. 





■ Cybervetting 


Notes 

2. Federal job discrimination laws summary, http://www.ee0c.g0v/facts/qanda.h 
(accessed April 25, 2014). 

3. McCullagh, Declan, Want a Job? Give Bozeman your Facebook, Google Passwo 




Chapter 23 

A Model Internet 
Posting Policy 



id other organizat: 
their authorized 


s should consider adding 
policy, employee hand- 


dentiality agreements, and disciplinary procedi 


unauthorized, or illicit. Anonymous slander of businesses ar 
common online, posing challenges, including identification 

of a model posting policy 1 : 


t from work and from 

id agencies is relatively 
of the perpetrator and 



277 









A Model Internet Posting Policy ■ 


name, or anonymously. The personnel and security departments should formulate 
an approach that anticipates and mitigates the risk that a disgruntled employee 
could use the Internet to attack the enterprise. Case law supports the enforcement 
of confidentiality agreements in such cases. 

as they wish, and experience has shown that references to employers online are over¬ 
whelmingly positive. Authorized Internet postings should be encouraged, including 
those on professional business websites likely to cast the enterprise and the employee 

standards and guidelines to discourage improper and unlawful Internet postings. 


Note 






with authorized access, in the inner circle of the individual’s profile, and from any 
programming designed to share data by pushing it to others online. It is the nature 
of the exposure allowed by the poster, within the access allowed by the website, that 
determines the degree of privacy reasonably expected for data placed online. 

For investigators, the plain view approach to privacy is both ethical and fair. If 

that are of use to an inquiry, then it is appropriate for the investigator to find and 
collect them. Users overwhelmingly choose little or no protections for postings 3 

although recent surveys show that while teens are more apt to post many personal 
details, adults increasingly desire to protect their information online, realizing that 
many personal details about them are available on the public Internet. 


Smoking Guns 

Some agencies and companies have made an effort to discover the types of materi- 

instance, it has been possible to find publicly visible, outrageous behavior online. 
Examples of the kinds of problems that arise were provided previously and include 





Cybervetting 


illegal and illicit activities by public servants and senior employees, outrageous post¬ 
ings that defame the employer, law enforcement officer misbehavior that impairs 
criminal justice and court functions, treasonous leaks by intelligence personnel, and 
insider revelations that violate intellectual property protection and stock trading laws. 

In guidance for cybervetting provided in an American Bar Association publica¬ 
tion, 4 a CareerBuilder study was quoted that demonstrates the utility of Internet 
searches, listing the top reasons from findings online that caused no-hire decisions: 

■ 50%—Posting provocative/inappropriate photos or information; 

■ 48%—Posting about drinking or using drugs; 

■ 33%—Bad-mouthing a prior employer; 

■ 30%—Bad communication skills; 

■ 28%—Making discriminatory comments related to race, gender, religion, 
and the like; 

■ 24%—Lying about qualifications. 

Employers are already dealing with complaints about, and accidental discov- 
would have resulted in no-hire or termination decisions had they been known. 

cybervetting, costing corporations considerable sums when disqualifying facts are 
learned—too late. The cost of cybervetting may be a factor in the decision not to 

that of cybervetting, especially with regard to the key positions with the highest 
risk of loss if the person selected is a bad choice. 

Most serious online misbehavior detected results in administrative sanctions 
against employees (e.g., firing or discipline), so most cases of this type do not appear 
in public. For medium-to-large enterprises, Internet issues are a daily or at least 

than are organizations’ measures to address emerging online security problems. 


Completeness of Internet Searching 

The vastness of the Internet and wide variety of activities raise a question about what 
constitutes a thorough search. Some personnel departments during background 
investigations arbitrarily combine a Google search with queries of Facebook, 
MySpace, Twitter, and other popular social networking sites, ignoring hundreds 
or thousands of other types of online data. Each enterprise should define what 
constitutes sufficiency of Internet searching for its purposes, based on a risk assess- 

this calculation is the fact that there are thousands of websites that promote and 
host illicit activities, from extramarital affairs, to exchange of copyrighted works 







288 ■ Cybervetting 


6. Troy, Thomas F., Donovan and the CIA: A History of the Establishment of the Central 
Intelligence Agency (Frederick, MD: University Publications of America, 1981). 

2013, and other Pew studies, sec http://www.pewintcrnet.org/2013/09/05/anonymity- 



FORENSICS & CRIMINAL JUSTICE 









